Welcome to FreeSoftwareServers Confluence Wiki

"In general, you should only use .htaccess files when you don't have access to the main server configuration file. There is, for example, a common misconception that user authentication should always be done in .htaccess files, and, in more recent years, another misconception that mod_rewrite directives must go in .htaccess files. This is simply not the case. You can put user authentication configurations in the main server configuration, and this is, in fact, the preferred way to do things. Likewise, mod_rewrite directives work better, in many respects, in the main server configuration." -- Apache.org

I would recommend configure Fail2Ban to monitor Apache Auth via HTPasswd

Basically instead of the code going into


It goes in

/etc/apache2/apache2.conf or /etc/httpd/conf/httpd.conf

This speeds up Apache because it does not have to search each directory recursively for .htaccess, it has all the information needed in once file, apache2.conf

Ok so lets secure


Lets Edit Apache2.conf, then create the directory to be protected, then create the .htpasswd file to store Username and Encrypted PWD and finally restart apache to enable changes.


sudo apt-get install -y apache2-utils
sudo nano /etc/apache2/apache2.conf && sudo mkdir /var/www/html/media/ 
sudo htpasswd -c /etc/apache2/.htpasswd $USER && sudo service apache2 restart
sudo chown apache:apache /etc/apache2/.htpasswd
sudo chmod 0660 /etc/apache2/.htpasswd


sudo nano /etc/httpd/conf/httpd.conf 
sudo mkdir /var/www/html/media/ 
sudo htpasswd -c /etc/httpd/.htpasswd $USER
sudo service httpd restart
sudo chown apache:apache /etc/httpd/.htpasswd
sudo chmod 0660 /etc/httpd/.htpasswd
NOTE: -c falg after htpasswd creates new file, do not use if adding to .htpasswd as it will overwrite old file (AKA Clobber)


 Options Indexes FollowSymLinks Includes ExecCGI
 AllowOverride AuthConfig
 AuthUserFile /etc/apache2/.htpasswd
 AuthName "Authorization Required"
 AuthType Basic
 require user exampleuser


  • No labels