.htaccess Based Authentication On Subdirectories

Author: Nayyar Ahmad

Contact:  nayyares *AT* gmail *DOT* com

Homepage:  www.cbtcandy.org

Dedication: To Baji, for all those efforts, she did for me.


.htaccess is used to provide facility of changing configuration per directory basis, this file can contain one or more directives that are going to be forced on the directory that contains the.htaccess file.

.htaccess is a popular name of this configuration modification file, you can change this default name by changing AccessFileName parameter in Apache config file. i.e.

AccessFileName .anyname

In this howto, I will take a dummy scenario of two parallel level subdirectories and will implement password authentication on both of them. This means only those users can access these directories that have the correct username and password.

So it begins :) 

Here I am assuming that your DocumentRoot directory is /var/www/html but if you have VirtualHost configuration or even Apache is configured on some other root directory then you can adjust this according to your situation.

Note: I will take two dummy names for these directories as test-dir1 and test-dir2.


1  Creating Directory:

$ cd  /var/www/html
$ mkdir  test-dir1
$ mkdir test-dir2


2  Test HTML File Creation:

Creating html file in first directory. 

$ cd  /var/www/html/test-dir1
$ cat > index.htm

<head> TEST PAGE IN TEST-DIR1. </head>


Creating html file in second directory.

$ cd /var/ www/html/test-dir2
$ cat  > index.htm

<head> TEST PAGE IN TEST-DIR2.</head>



3  Browsing Test Pages:

Now you can browse and test, whether the pages are available or not, by opening any web browser, I like Firefox (as it rocks :) ) and type:


This will display the first directory test page, and


will display the second test page in test-dir2.

If you are able to see both pages, it means that you are almost about to rock .htaccess. 


4  .htaccess File Creation: 

$ cd  /var/www/html/test-dir1
$ vi  .htaccess

Write the following lines into this file:

AuthName "Authorized Users Only."

AuthType Basic

AuthUserFile /etc/httpd/conf/.htpasswd

require user testusr

Now I will explain, what magic lines we have written in this file:

AuthName parameter just defines the title of the password entry box when the user logs in, while the AuthType tells the server what sort of processing is in use, and Basic is the most common and perfectly adequate for almost any purpose.  AuthUserFile  is used to define the .htpasswd file location, this files contains the  password of the user who is going to be authenticate  in .htaccess file. require user is used to identify the trusted user, if there are more than one trusted user, then you can specify their names in a space saparated list.

Now to make test-dir2 protected by .htaccess, we need to copy it from test-dir1 to test-dir2  with the following command:

$ cp /var/www/html/test-dir1/.htaccess   /var/www/html/test-dir2/


5 User Creation:

Here we will create a test user to check our .htaccess  :)

$ adduser   testusr
$ passwd   testusr


6 Telling Apache About Users:

Now we have to inform Apache about the user and its password, but before going into this step there is a social duty on me i.e. to explain both RPM and source Apache installation difference. :) If you have installed Apache from RPM then it will install all related commands in your /usr/local/bin, so no problems, you can give htpasswd command anywhere in your system, but if you have installed Apache from source then you have to find the Apache bin directory to execute the htpasswd command. In this HowTo I will give both ways, here it is:

$ htpasswd  -c /etc/httpd/conf/.htpasswd  testusr

The above command will work if you have htpasswd in your /usr/local/bin and it happens if you install Apache from RPM. /etc/httpd/conf/.htpasswd is the location of file that will contain the authenticated/trusted user password.


$ cd /apache/bin/
$ ./htpasswd -c /etc/httpd/conf/.htpasswd   testusr

The above commands correct if you have installed Apache from the sources, $ cd /apache/bin can be adjusted according to your system, as maybe you have installed it somewhere else.


7 .htpasswd File Permission:

We need to set the file permission of the .htpasswd file and make the apache user the owner of this file. 

$ chown apache.apache  /etc/httpd/conf/.htpasswd 


8  Editing httpd.conf:

Now we have to edit the httpd.conf, as Apache needs to be informed about .htaccess, here we will change AllowOverride All | none to Authconfig, now there are two cases, one if you are hosting just one site and other if you are having VirtualHost, here is the First Case:

In this case you, we have only one Directory tag in httpd.conf file as we are hosting just one site, so we will edit the <Directory> tag for /var/www/html.  

<Directory "/var/www/html">
  AllowOverride AuthConfig
  Order allow,deny
  Allow from all

Now for second case, when we have several sites hosted, i.e. VirtualHost:

<VirtualHost www.cbtcandy.org>
  DocumentRoot /var/www/html/cbtcandy
  ServerName www.cbtcandy.org
  <Directory /var/www/html/cbtcany> 

    AllowOverride AuthConfig
    Order allow,deny
    Allow from all
    Options -Indexes


9  Restarting Apache:

Now you have to restart the Apache server to reload the configuration.

For RPM based system: 

$ service httpd restart

For source based system, adjust your Apache's bin directory path.

$ /apache/bin/apachectl restart


10  Testing:

Now everything is ready to be tested, again open your favourite browser and try to open the following links:




Note: When you browse these linksyou will be asked for the username and password, once you provide them it will take you to the test page. But once you log in to one directory it will not require the username and password for the other test directory, as Apache will not ask for the username and password again and again for directories equal in level or subdirectories. So once you are authenticated the child and parallel directories are open to use. But if you still want to check them then use links text based browser, that is what I do for checking them.

Share this page:

5 Comment(s)

Add comment

Please register in our forum first to comment.



Nice easy to understand article! I just wanted to add a really useful snippet of code that I use all the time when developing sites.

The following code uses your htaccess authentication but incorporates the "Satisfy Any" and "Allow" directives to allow google, CSS and XHTML validation via w3.org, and the web developers IP to access the site without being prompted for a password. Everyone else is prompted for a password.  

# Allow google and developers IP access without pw
AuthName "Authorized Users Only."
AuthType Basic
AuthUserFile /etc/httpd/conf/.htpasswd
require user testusr
Order deny,allow
Deny from all
Allow from
Allow from w3.org
Allow from htmlhelp.com
Allow from googlebot.com
Allow from google.com
Allow from google-analytics.com
Satisfy Any

More info/snippets

By: Anonymous

Thanks! Yust what I'm looking for :-)

By: Anonymous

Perfect! thanks vm

By: sohbet

thank you

By: surbhi

hey its nice tutorial regarding .htaccess :)