Skip to main content

Securing sensitive content is essential for protecting data integrity and user privacy. One effective way to implement security is by restricting access to specific directories or resources using either Apache or Nginx authentication tools. This provides a comprehensive reference for configuring password protection on both Apache and Nginx web servers using the htpasswd utility.

Whether you are setting up a private section of your website, managing administrative panels, or securing confidential documents, this step-by-step tutorial ensures proper implementation of password-based access control. It covers everything from installing the necessary tools to configuring authentication and troubleshooting common issues.

Follow this guide to enhance the security of your web server and ensure only authorised users can access sensitive content.

Goal: Restrict content access through username and password entry.

 

1: Apache Utilities Package

Update Server Packages

First, update your server’s package index:

sudo apt update

 

Install Apache Utilities for htpasswd

How come I need to install apache-utils?  To restrict access you will be using a utility called htpasswd, which is part of the apache2-utils package.  To install execute the command:

sudo apt install apache2-utils

With this installed, you now have access to the htpasswd command.

 

2 Create the Password File

Generate a .htpasswd File

Now you can create a password file using the htpasswd.  Create a hidden file for this purpose called .htpasswd within your /etc/apache2 configuration directory.

Create a password file using htpasswd. Store it in a secure directory such as /etc/nginx/ or /etc/apache2/ depending on your server type:

sudo htpasswd -c /etc/{server}/.htpasswd {username}

Replace {server} with nginx or apache2.

Enter and confirm the password when prompted:

New password:
Re-type new password:

 

Add More Users

Remember when you create more user's to leave out the -c argument so you don’t overwrite the file:

sudo htpasswd /etc/{server}/.htpasswd {next_user}

 

Overwrite a User’s Password

To update or override an existing user’s password:

sudo htpasswd /etc/{server}/.htpasswd {username}

This command allows you to reset the password without removing the user.

 

Verify File Contents

You can check the .htpasswd file contents to confirm its contents by using the command:

cat /etc/{server}/.htpasswd

The response lists the usernames and passwords.  However, the passwords are encrypted.

 

3 Configuring password authentication

Begin by editing the Apache configuration and add password protection to the virtual host file.  Generally this option delivers better performance as it avoids the expense of reading distributed configuration files.

Look into the virtual host file that you wish to add an access restriction.  Such as /etc/apache2/sites-available/your_domain.conf file that holds the virtual host.  I didn't have a /etc/apache2/sites-available directory.  However, following a find command, I found site-available directory in the nginx directory.

sudo find / -name sites-available -type d

Response

/etc/nginx/sites-available

Flag here is the only directory is in the Nginx directory.  So go no further and change over the Nginx instructions.  However, if you response was /etc/apaches/site-available then continue reading.  In this directory I had two files

ckan
default

Open up the file with a command-line text editor such as nano

sudo nano default.conf

 

Nginx Configuration

Locate your Nginx configuration file, typically

sudo nano /etc/nginx/sites-available/default

Add the following block inside the server configuration

location /protected/ {
   auth_basic "Restricted Content";
   auth_basic_user_file /etc/nginx/.htpasswd;
}

Replace /protected/ with the path you wish to protect.

 

Apache Configuration

Locate your Apache configuration file, typically:

sudo nano /etc/apache2/sites-available/default.conf

Add the following block inside the virtual host configuration

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    ServerName CKAN
    ServerAlias {url}
    DocumentRoot {path/to/directory}
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    <Directory "{path/to/directory}">
      AuthType Basic
      AuthName "Restricted Content"
      AuthUserFile /etc/apache2/.htpasswd
      Require valid-user
    </Directory>
</VirtualHost>

Replace {path/to/directory} with the directory path you wish to protect.

 

4. Test and Restart the Server

Nginx

Test Nginx configuration

sudo nginx -t

Restart Nginx

sudo systemctl restart nginx

 

Apache

Test Apache configuration

sudo apachectl configtest

Restart Apache

sudo systemctl restart apache2

 

 

5. Password Limitations and Guidelines

 

Password Restrictions

  • Spaces are not allowed in passwords as they are treated as separators
  • Use only alphanumeric characters and symbols such as ! @ # $ % ^ & * - _
  • Avoid passwords shorter than 8 characters for security reasons
  • Passwords are case-sensitive

 

Override an Existing Password

To reset a password for an existing user, simply run

sudo htpasswd /etc/{server}/.htpasswd {username}

This replaces the previous password without requiring removal or recreation of the user.

 

Testing Password Authentication

After making changes, restart Apache to apply updates

sudo systemctl restart apache2

Then, navigate to the protected directory using a browser. When prompted, enter the username and password.

 

6. Troubleshooting Tips

Permission issues: Ensure the .htpasswd file has correct permissions

sudo chmod 640 /etc/{server}/.htpasswd
sudo chown root:www-data /etc/{server}/.htpasswd

Configuration errors: Check Apache logs

Nginx

sudo tail -f /var/log/nginx/error.log

Apache

sudo tail -f /var/log/apache2/error.log

 

Cache problems: Clear the browser cache if authentication prompts fail repeatedly.

 

The wrap

Whether your web server is Nginx or Apache that it is configured for password-protected access, securing sensitive directories effectively. Follow these steps carefully to implement authentication, and make sure to test access after each change.

Related articles

Andrew Fletcher21 Nov 2024
How to update your Ubuntu server efficiently
Maintaining your Ubuntu server is essential to ensure it operates smoothly, stays secure, and benefits from the latest features. Whether you're managing a server for personal projects or enterprise-level applications, regularly updating your system is a critical best practice. Here’s a...