Today the world is insecure. We have to provide different types of security measures like authentication. In HTTP servers like Apache or Nginx, we can use HTTP Basic Authentication. HTTP Basic Authentication is an authentication protocol provided by the webserver. We can use htpasswd tool to create HTTP Basic Authentication Database and Users. Using application-level authentication is a better solution by the way.
Install htpasswd Tool
htpasswd is provided by Apache Utils package for Ubuntu, Debian, Mint and Kali. We can install it with the following command.
$ sudo apt install apache2-utilsInstall Htpasswd Tool For Fedora, CentOS, RHEL
As RPM-based distributions like Fedora, CentOS and RHEL names Apache as httpd we can install htpasswd with the following command.
$ sudo yum install httpd-toolsCreate Htpasswd Database and User
We will create a user password database with the -c option and providing related information like database file name, user, and password. In this example, we will create a database named .htpasswd username ismail and password.
$ htpasswd -c .htpasswd ismail
List htpasswd Users
We can list existing users from providing a database file with the cat command. Because our file named .htpasswd is just a text file where the password is stored in an encrypted format. The database file is named as db and located under the current directory where the htpasswd command is executed.
$ cat .htpasswd
We can see the db file content that there are two columns which are delimited with the : . The first column contains the user name which is ismail, ahmet, ali in this case, and the second column stores passwords in an encrypted version.
Change Existing User Password
We can change the existing user password we just need to provide the user name again like creating from scratch. This will ask us the user password again. In this example, we will change the password of ismail.
$ htpasswd db ismail
As we can see from out that we have successfully update the password of ismail.
Remove User From htpasswd File
If we want to prevent users from access we should remove users from our database. We will use -D option and specify the user name we want to remove. In this example, we will remove the user named ali.
$ htpasswd -D .htpasswd ali
Configure Authentication For Apache
Up to now, we have learned how to manage user databases. In this part, we will look at how to configure Apache for basic authentication. The following configuration will be put into Apache main conf or in a site configuration like virtual host.
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
<Directory "/var/www/html">
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>
</VirtualHost>- In this configuration, we assume that our database file named
dbis located at/etc/apache2/db - This authentication will be applied for the directory
/var/www/html
In order to make configuration we should restart Apache2 server after saving configuration.
Check HTTP Basic Authentication
If we try to browse the web page we will get a prompt like below which is asking for username and password those will be checked from our db file.
