How to configure basic authentication in Apache httpd virtual hosts?

apache-2.2 authentication httpd mercurial http-authentication

171,329

Solution 1

You should place this inside a Location directive:

<VirtualHost *:8080>

<Location /> #the / has to be there, otherwise Apache startup fails
            Deny from all
            #Allow from (You may set IP here / to access without password)
            AuthUserFile /usr/local/etc/httpd/users
            AuthName authorization
            AuthType Basic
            Satisfy Any # (or all, if IPs specified and require IP + pass)
                        # any means neither ip nor pass
            require valid-user
</Location>
...
</VirtualHost>

Solution 2

I am running Apache2 on ubuntu 10.04 — same problem and thanks for the solution. I found that I had to put the configuration in /etc/apache2/apache2.conf

You can generate the username and password using htpasswd. New file:

$ htpasswd -c /srv/auth/.htpasswd squire

To append to existing file:

$ htpasswd -b /srv/auth/.htpasswd squire2 tickleme2

Solution 3

You can protect a Location or a Directory. For a Directory add something like:

<Directory /some/dir/cgi-bin/>
    Options +ExecCGI
    AddHandler cgi-script .cgi
    AuthType Basic
    AuthName 'Private scripts'
    AuthUserFile '/some/other/dir/.htpasswd'
    Require valid-user
</Directory>

You can also add Deny and Allow directives for a finer control.

Solution 4

It sounds like you're specifying the authentication settings within the VirtualHost. Typically, these settings are specified under the Directory directive.

You could also use .htaccesss files, but specifying in the Apache conf is a good default, as it has less exposure.

Apache Documentation

Solution 5

I'm running Apache2 on ubuntu 10.10. I've been having problems with all the solutions above, but this worked well (from apache docs):

<Directory /var/www/>
  Options Indexes FollowSymLinks MultiViews
  AllowOverride All
  Order allow,deny
  allow from all
  AuthType Basic
  AuthName "Restricted"
  AuthBasicProvider file
  AuthUserFile /etc/users
  Require user visitor
</Directory>

The biggest difference from the answers above seems to be the AuthBasicProvider directive set to "file" and the Require directive including the "user" bit before the actual username.

Hope this helps someone.

View more solutions

171,329

Jader Dias

Updated on September 17, 2022

Comments

Jader Dias almost 2 years

I'm trying to configure mercurial access using Apache http. It requires authentication. My /etc/apache2/sites-enabled/mercurial looks like this:

NameVirtualHost *:8080

<VirtualHost *:8080>
    UseCanonicalName Off
    ServerAdmin  webmaster@localhost
    AddHandler cgi-script .cgi
    ScriptAliasMatch ^(.*) /usr/lib/cgi-bin/hgwebdir.cgi/$1
</VirtualHost>

Every tutorial I read on the internet tells me to insert these lines:

AuthType Basic
AuthUserFile /usr/local/etc/httpd/users

But when I do it I get the following error:

# /etc/init.d/apache2 reload
Syntax error on line 8 of /etc/apache2/sites-enabled/mercurial:
AuthType not allowed here

My distro is a customized Ubuntu called Turnkey Linux Redmine

shorif2000 about 11 years

this does not work for me. <Location /opt/mcmap/shapefiles.php> AuthType Kerberos AuthName KerberosLogin KrbServiceName HTTP/intranet.spectrumasa.com KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms DOMAIN.COM Krb5KeyTab /etc/httpd/conf/intranet.keytab require valid-user Options Indexes MultiViews FollowSymLinks AllowOverride All Order allow,deny Allow from all SetOutputFilter DEFLATE </Location>
Buttle Butkus almost 11 years

The apache doc page explains all this, but annoyingly never gives you a complete example. I copied part of their example, but missed the require valid-user portion. A complete example can be a wonderful thing. Thanks.
agbb over 8 years

@sharif should be <Location />, meaning access to the root url of yourhost.com/ should require that auth configuration
Sz. over 7 years

Why was <Location /> edited to <Location> with an internal log message of "fixed ... to avoid a lot of trouble", but telling nothing about the real reason in the answer itself? There is no such thing as a <Location> directive (i.e. one without a location) in Apache. That definitely causes trouble now. ;) (See e.g. above.)
Colin 't Hart over 2 years

This answer contains an annoying mix of old and new directives. Remove the Deny from all and Satisfy Any and disable the module mod_access_compat for a cleaner solution.