Skip to end of metadata
Go to start of metadata


In this article we explain how you can utilize the apache authentication to restrict access to you website or parts of your website.


The server software is configured to enable you to use the apache authentication. You have to create the files .htaccess and .htpasswd. These files are protected by the server software so you can not download or view them with your web browser.

All you need is a text editor to create two text files, a web browser to generate passwords for users that should be able to access the restricted pages and an ftp client to transfer the files to the server.

Important Hint for Windows User

While saving the files ensure that the file name will not be extented with 'txt', 'doc' or similar. The 'Save Files as...' dialog in Notepad for example extends your filename automatically with '.txt'. After you clicked on "save File as...' click on the drop down option list for 'Save as type:' and select 'all Files'. Now you can save the file. You can not change the name of files beginning with '.' in the Windows Explorer. If you created the files with an extension transfer the files with your ftp client to the server and use the rename function of your ftp client to change the name.

Step by Step

1. Step - Which users should have access to your restricted pages?

Compile a list of users that should have access to your restricted pages. Start your web browser and open the page Here you can enter the username and a password. Click on 'generate' to generate the entry needed for your .htpasswd file.

Copy the generated line into your text editor. Repeat that for every additional user. Please mind to have only 1 user per line in your text file.

Save the file as .htpasswd

Your .htpasswd should look like this:


2. Step - the .htaccess

The second step is to create the .htaccess file. With this file you configure the authentication. You need the following entries:

  • AuthName: This name is often shown by the client as name of the login dialog.
  • AuthType: Type of authentication. Choose Basic.
  • AuthUserFile: Full path to your .htpasswd file. This could be /home/yourusername/.htpasswd or /home/yourusername/restriced/.htpasswd
  • Require user: All users who should have access need to be here.

Here is a simple example of the .htaccess file:

Authname "Restricted Area - Please login"
AuthType Basic
AuthUserFile /home/makaiser/.htpasswd
require user makaiser tschmidt

You can copy this example into your text editor, make all necessary changes and save the file as .htaccess

3. Step - Transfer files to

Now you can transfer the files to the server. Open your ftp client and connect to Transfer the .htpasswd file to the place you wrote in the .htaccess file and the .htaccess file into the folder that should have restricted access.

4. Step - Test the authorization

Test, if authorization works. Start your web browser and open your restricted website. You should get a login dialog. Enter a username with the corresponding password and login. If you can see your website authorization seems to be okay. Congratulations for your first apache authenticated website! If not, you should get a message with Error 500. Please check your .htaccess file for errors and also that the .htpasswd file is in the right place.

Additional Information

Multiple .htaccess files

You can create different .htaccess files for different directories. But you will need only one .htpasswd file. Everey .htaccess file can point to the same .htpasswd file. Please mind that if you like to add some users to your .htpasswd file to copy the file from the server to your computer or use a local copy of that file and edit this file. If you create a new one it might happen that you overwrite your old file and all old entries will be lost.

More Information

If you want to know more about apache you can use the apache documentation at More information about apache authentication can be found at


  1. Even thought this does not concern me, I wanted to point out one small issue.

    How safe is the password generator provided by you? It is using a) plain HTTP protocol b) GET type queries - which basically means that if the logs of the ircitweb.* server leak out - everyone will have all the username/password combinations. Not to mention that the administrator of the server will have them as well (obviously). Is this not a very bad thing to do as many people use the same passwords over and over again? Wouldn't a simple java applet (executed client-side) be more secure for this purpose? Maybe even JavaScript could suffice (I do not remember ATM if there are required functions there...).



    1. Thanks for the feedback. The URL has been changed to point to httpS.

      The original request was for passwords for easy sharing of protected content. So we provided a quick way to generate that password for as most people as possible with the least imaginary requirements.

      Server administrator is IRC-IT, as well as for the Faculty Web Service, so there is no increased privilege due to access to the logs for the administrator.

  2. this article lead me to relook at the existing intranet we have for the jcll executive masters program.

    but it appears to no longer work.

    AuthType Basic
    AuthName "Exec Intranet"
    AuthUserFile /srv/www/imperia/htdocs/schools/jacobs/teaching/professional/exec/intranet/.htusers
    require valid-user

    for example – akm:akKQJk60Dj92M

    why might this not be working? It used to ...

    "concerned in cleveland"