How do I password protect an Apache website?
I added .htaccess
AuthType Basic
AuthName "restricted area"
AuthUserFile /path/to/the/directory/you/are/protecting/.htpasswd
require valid-user
and .htpasswd
username:password
However, it is not working. It doesn't prompt me for login.
Your .htaccess file looks fine. The only reason it is not working as you have it is that Apache is configured to ignore it.
In your apache config, ideally in the sites-* config file, add:
<Directory /path/to/the/directory/you/are/protecting/>
AllowOverride AuthConfig
</Directory>
The AllowOverride directive is what allows the htaccess file to function. By default, most Apache setups have it turned off (set to None actually), including Ubuntu/Debian.
In your .htpasswd file, the password must be encrypted. You can do this most easily using the htpasswd tool that mezgani suggested. It will look like this if you read the file:
bob:abJnggxhB/yWI
With the AllowOverride directive set to at least AuthConfig, your .htaccess file in place, and your .htpasswd containing a user with an encrypted password, you should be good to go.
First, add this following to your apache config:
<Directory /path/to/the/directory/you/are/protecting/>
AllowOverride AuthConfig
Options Indexes MultiViews FollowSymLinks
deny from all
Order deny,allow
</Directory>
After, you may create the .htpasswd file that will contain your login and password with htpasswd command and not manually
htpasswd -c /path/to/the/directory/you/are/protecting/.htpasswd username
I think that moving the .htpasswd file somewhere different from the path of the directory that you are protecting is more secure.
Also, For security reasons, please read this article on securityfocus