GNU+Linux command memo

Lock Apache web folder with htaccess

Protéger par mot de passe l’accès à un dossier servi sur le web via le serveur web Apache.

Hacking this requires to hack the Apache web server or the hosting machine and not "only" a web application.

This keeps web crawlers away while a robots.txt file is just a mention you put on an open door.

This can also protect your web application from security breach crawlers if you are with an "intranet" style scenario.

We need to add 2 files in the folder : .htaccess .htpasswd

$ cd /var/www/web-folder-to-protect
$ vi .htaccess
AuthUserFile /…/.htpasswd (1)
AuthName "Dites ami et entrez" (2)
AuthType Basic
require valid-user
1 Absolute path to a readable .htpasswd
2 Facultative
$ pacman -S whois (1)
$ mkpasswd
Mot de passe : (2)
$y$j9T$PiRPvEKe86T6/hH/Rdlh90$eQbrTxlziyxQL3CTAlCFS5BmzMysCcAi5Dd/HYkTqL8 (3)
1 If you don’t have the mkpasswd command available, you might install it this way on Artix Linux
2 Here you can type the wanted password, it won’t be visible on the screen (won’t be echo’ed)
3 Here is an example of returned hashed password
$ vi .htpasswd
lucy:$y$j9T$PiRPvEKe86T6/hH/Rdlh90$eQbrTxlziyxQL3CTAlCFS5BmzMysCcAi5Dd/HYkTqL8 (1)
1 This line allows the user named lucy to authenticate via the password that produce this hash

Reload your page (or folder) from your web browser to verify that it really asks for credentials. If not, you might not be using Apache / Apache2, you might have bad file rights or file path.