The Apache documentation recommends that where possible the use of htaccess files should be avoided. It recommends for performance and security reasons that Directory specific configuration should be put in the main configuration files, via an include if a large number of directories are specified. The caveat it specifies is where the user does not have access to the main configuration files, as is usually the case where the site is hosted on a shared hosting environment. As a web developer you may want your test environment to be as similar to the clients site as possible. Therefore you may want to configure your local web server to use .htaccess files.
The file and apache directory (/etc/apache2 and /var/www) names used in this post are those from recent versions of Ubuntu with the default site. If you are using a virtual host you’ll need to edit the configuration file for the that virtual host. If your are using another distribution the directory containing the configuration files may be different. The editior used in the post is gedit you can substitute any text editor.
Check basic authentication is enabled
To ensure that basic authentication is enabled on the server, check for the auth_basic.load file in the mods-enabled directory, to do this using the command line type the following command
ls - l /etc/apache2/mods-enabled/auth_basic.load
Alternatively you can browse to the directory using your favourite file manager. If this file does not exist you will need to execute the following commands
cd /etc/apache2/mods-enabled sudo ln -s ../mods-available/auth_basic.load .
The module will not be active until will not take effect until the apache server is restarted, see below for the command.
Enable Apache to read .htaccess file
Earlier version of Apache web server enabled the use of .htaccess files by default, however in recent versions it is disabled. To enable it edit the site file to include at least AuthConfig in the AllowOverride directive for the highest level directory you wish to use a .htaccess file, to enable for the entire site include this directive for the DocumentRoot.
Open the site file using your favourite editor ensuring that you have super user privilege. This is achieved from the command line as follow.
gksu gedit /etc/apache2/sites-enabled/default
This contains the DocumentRoot directory (by default on the Ubuntu apache2 package this is /var/www). Below this is the directory section, within this is the AllowOverride directive. This should be changed from
AllowOverride None
to
AllowOverride AuthConfig
or if you want to allow changes to more than authentication in the .htaccess file you may want to specify.
AllowOverride All
the relevant sections of your site file will now be as follows
... DocumentRoot /var/www ... <Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride AuthConfig Order allow,deny allow from all </Directory> ...
Again this change to the main configuration file will not take place until apache is restarted
Restart Apache web server
On Ubuntu services are restarted using the service command.
service apache2 restart
On other distributions you will probably use the
/etc/init.d/apache2 stop; /etc/init.d/apache2 start.
Configuring the .htaccess file
With Apache configured to read .htaccess files we can now create a .htaccess file in the directory that we want to restrict access for the purposes of this post we are using a directory called private in the DocumentRoot (/var/www).
Create the directory if it does not already exist, using the command
cd /var/www mkdir private
Change to the directory
cd private
Create the .htaccess file
gedit .htaccess
add the following content to the file
AuthType Basic AuthName "Private Area" AuthUserFile /var/www/private/.htpasswd Require valid-user
Save the file and create the password file specified by adding the first user
htpasswd -c .htpasswd newusername
You will then be prompted to enter a password for the user. Type the password and press enter and repeat the password
Now you can create content in the directory that is password protected.