Home  »  Htaccess  »  Apache Authentication in htaccess

by 15 comments

How to password-protect, Allow or Deny a visitor based on a condition. If you are having trouble getting htaccess-based password protection to work see: Troubleshooting htaccess Authentication: Getting it to work

Generate Your authentication htpasswd files with my free Online Password Generator!

Require password for 1 file only

Order deny,allow
Deny from all
AuthName "htaccess password prompt"
AuthType Basic
AuthUserFile /web/
Require valid-user

Protect multiple files:

Order deny,allow
Deny from all
AuthName "htaccess password prompt"
AuthUserFile /.htpasswd
AuthType basic
Require valid-user

Using the Apache Allow Directive in htaccess

Allow network/netmask pair

Order deny,allow
Deny from all
Allow from

Allow IP address

Order deny,allow
Deny from all
Allow from

Allow More than 1 IP address

Order deny,allow
Deny from all
Allow from

Allow Partial IP addresses, first 1 to 3 bytes of IP, for subnet restriction

Order deny,allow
Deny from all
Allow from 10.1
Allow from 10 172.20 192.168.2

Allow network/nnn CIDR specification

Order deny,allow
Deny from all
Allow from

Allow IPv6 addresses and subnets

Order deny,allow
Deny from all
Allow from 2001:db8::a00:20ff:fea7:ccea
Allow from 2001:db8::a00:20ff:fea7:ccea/10

Deny subdomains

Order Allow,Deny
Allow from
Deny from

Allow from IP without password prompt, and also allow from any address with password prompt

Order deny,allow
Deny from all
AuthName "htaccess password prompt"
AuthUserFile /web/
AuthType Basic
Require valid-user
Allow from
Satisfy Any

Skeleton .htaccess file

I use this when I start a new site, and uncomment or delete parts of the file depending on the sites needs

Ultimate htaccess file sample

Options +ExecCGI -Indexes
DirectoryIndex index.php index.html index.htm

ErrorDocument 400 /cgi-bin/error.php
ErrorDocument 401 /cgi-bin/error.php
ErrorDocument 403 /cgi-bin/forbidden.cgi
ErrorDocument 404 /404.html
ErrorDocument 405 /cgi-bin/error.php
ErrorDocument 406 /cgi-bin/error.php
ErrorDocument 409 /cgi-bin/error.php
ErrorDocument 413 /cgi-bin/error.php
ErrorDocument 414 /cgi-bin/error.php
ErrorDocument 500 /cgi-bin/error.php
ErrorDocument 501 /cgi-bin/error.php

ServerSignature Off

AddType video/x-flv .flv
AddType application/x-shockwave-flash .swf
AddType image/x-icon .ico

AddDefaultCharset UTF-8
AddLanguage en-US .html .htm .txt .xml .php

SetEnv TZ America/Indianapolis

#AddHandler php-cgi .php
#Action php-cgi /cgi-bin/php5.cgi

#AddHandler fastcgi-script .fcg .fcgi .fpl
#AddHandler php5-fastcgi .php
#Action php5-fastcgi /cgi-bin/fastcgi.fcgi

#           HEADERS and CACHING
# 1 YEAR

Header set Cache-Control "max-age=29030400, public"

# 1 WEEK

Header set Cache-Control "max-age=604800, public"

# 3 HOUR

Header set Cache-Control "max-age=10800"

# 1 MIN

Header set Cache-Control "max-age=0, private, no-store, no-cache, must-revalidate"
Header set P3P "policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR ADM DEV OUR BUS""
Header set imagetoolbar "no"

#Redirect 301 /ssl-ns.html /2006/htaccess/apache-ssl-in-htaccess-examples.html
#Redirect 301 /ht.tml
#Redirect 301 /index.html /
#RedirectMatch 301 /2006/htaccess-forum/(.*) /2006/htaccess/$1
#RedirectMatch 301 /(.*)rfc2616(.*)
#RedirectMatch 301 /phpmanual(.*) /manual/en/$1

RewriteEngine On
RewriteBase /

#RewriteEngine On
#RewriteBase /
#RewriteCond %{REQUEST_FILENAME} !-f
#RewriteCond %{REQUEST_FILENAME} !-d
#RewriteRule . /index.php [L]

#RewriteCond %{HTTP_HOST} !^www\.askapache\.com$ [NC]
#RewriteRule ^(.*)$ /$1 [R=301,L]

#RewriteCond %{ENV:REDIRECT_STATUS} 200
#RewriteRule ^.*$ - [L]

#RewriteCond %{HTTP_USER_AGENT} !^.*(FeedBurner|FeedValidator|Recent) [NC]
#RewriteRule ^feed/?.*$ [L,R=302]

#RewriteCond %{HTTP_USER_AGENT} ^Wget.* [NC]
#RewriteRule .* /cgi-bin/forbidden.cgi [L]

#AuthName "Prompt"
#AuthUserFile /web/
#AuthType basic
#Require valid-user

#AuthName "Under Development"
#AuthUserFile /web/
#AuthType basic
#Require valid-user
#Order Deny,Allow
#Deny from all
#Allow from
#Satisfy Any


April 10th, 2007

Comments Welcome

  • Fred

    Regarding "Require password for 1 file only", shouldn't this:

    AuthName "htaccess password prompt"
    AuthType Basic
    AuthUserFile /web/
    Require valid-user

    be this:

    AuthName "htaccess password prompt"
    AuthType Basic
    AuthUserFile /web/
    Order deny,allow
    Deny from all
    Require valid-user

    Your example allowed anyone on in two of my systems because of lack of a deny clause. Adding the two lines solved it.

  • AskApache

    @ Fred

    Absolutely right. Thanks for the heads, thats a pretty big foul up on my part.

  • Motosauro

    Thanks for the snippets, I pasted them into my blog since I tend to forget them very easily :)

    Just one question: why do you think it's better to put ErrorDocument override in .htaccess files rather than vhost definitions?
    I place them in vhost definition files because they don't ever change (almost). I guess it's just a matter of personal taste though

    Thanks mate :)

  • chris jar


    I encountered this problem.

    I have .htaccess file:

    AuthType Basic
    AuthName "RestrictedFilesmain"
    AuthUserFile "d:Program FilesApache GroupApache2htdocsmainconfc.htpasswd"
    ErrorDocument 401 "ERROR_ 441 Authorization Required"
    ErrorDocument 403 "ERROR_ 403 Forbidden"
    ErrorDocument 404 "ERROR_ 404 Not Found"
    Require user loggeduser
    Require user chris

    and c.htpasswd file


    When I log in into the protected page for the first time I enter chris:a2wssd and I am allowed to enter the page. Next I change password in the c.httpasswd file into a2ws4ss. And I still have access to the page just using refresh button in my Firefox browser.

    It looks like the Apache server didn't notice that I have change the password value in the mean time. What's wrong? I need to stop immediately the access to the protected page by changing the password in the file.

    Regards chris

  • Bobby Kozora

    I'm trying to use apache authentication as added protection to the password protected admin section of one of my sites. The site's using Wordpress. What's happening is when I access the admin section the .htaccess file in that directory isn't executing. Well, it will throw errors but if all's fine it passes back to my root .htaccess which then displays the 404 page. If I remove the .htaccess from my admin directory I can once again access my login page. Any ideas? I'm stumped.

  • Fred

    Bobby, create an .htaccess file in your wp-admin directory following the contents listed in "Allow from IP without password prompt, and also allow from any address with password prompt".

    The "Allow from" should contain your static IP address if you have one, or that of your client if you are building this site for someone else to access. Of course, you can add more than one line in that format. It will allow anyone arriving from an IP in the Allow statement(s) to access the WPAdmin login screen without having the enter the Apache Username/Password combination. Everyone else will be stopped at the Apache login screen, and if they authenticate there they will then receive the WP login screen. I do this on over 100 WP sites.

  • martin

    Great article, thank you!

  • Apache Development

    I am encountering a problem where I get a 404 page every time I put Require valid-user into the .htaccess of a folder. Any ideas why this might be happening?

  • AK

    Your "Allow from IP without password prompt, and also allow from any address with password prompt" example is exactly what I was looking for. Thank you!

    • Tra

      i found this to be an informative and interesting blog.. very useful and knowledge able. Thank you for the efforts you have made in writing this authentication article. Your writing abilities have inspired me..

  • sy

    I have my "password" file in C:Program FilesApache GroupApache2htdocsusers

    I would like to restrict access to a folder "flash anim" in C:Program FilesApache GroupApache2htdocsFlash Anim

    I have given the following directives in my .htaccess file

    AuthType Basic
    AuthName "Restricted Files"
    AuthUserFile /Program Files/Apache Group/Apache2/htdocs/users/password
    Require user windowsistheproblem

    When I access the that directory it gives me the following error:

    [Tue Jul 27 15:37:17 2010] [alert] [client] C:/Program Files/Apache Group/Apache2/htdocs/Flash Anim/.htaccess: AuthUserFile takes 1-2 arguments, text file containing user IDs and passwords

    I have no idea where I am getting wrong. What does the above error log means? can any body help please?

  • Parvez

    i want to give permission to open all user image folder from my site and other are password protected.

  • kiran

    As shown the partial IP example for IPV4 addresses (in Allow from), is it possible to use partial IPV6 address also ?
    example :

    Allow from 2001:db8:a00:20ff:fea7:cc00:1234:564 <--full Ipv6 address
    Allow from 2001:db8:a00:20ff:fea7:cc00  <---------partial Ipv6 address


Related Articles

My Online Tools
Popular Articles

Hacking and Hackers

The use of "hacker" to mean "security breaker" is a confusion on the part of the mass media. We hackers refuse to recognize that meaning, and continue using the word to mean someone who loves to program, someone who enjoys playful cleverness, or the combination of the two. See my article, On Hacking.
-- Richard M. Stallman


It's very simple - you read the protocol and write the code. -Bill Joy

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 License, just credit with a link.
This site is not supported or endorsed by The Apache Software Foundation (ASF). All software and documentation produced by The ASF is licensed. "Apache" is a trademark of The ASF. NCSA HTTPd.
UNIX ® is a registered Trademark of The Open Group. POSIX ® is a registered Trademark of The IEEE.

+Askapache | askapache

Site Map | Contact Webmaster | License and Disclaimer | Terms of Service

↑ TOPMain