How to use Apache .htaccess .htpasswd to protect files, folders and paths and to protect multiple files, multiple folders and paths

Last Updated on

Keywords: Apache, .htaccess, .htpasswd, block access, protect file, protect folder, protect directory, protect path

If we have following folders


and Following url path resource1/file1.htm resource1/A/ resource2/file2.php resource2/B/C/D/ resource3/E/F/

The document root for “” is “/web/”

Path secret is a virtual path which does not reflect to a real directory with name “secret” (e.g. an existing rewrite rule in .htaccess)

Now we want to protect file “file1.htm” directory “D” and directory “E”, “F” and virtual path “secret”

1.1 We need to create a .htaccess file under “web” directory

1.2 Open the .htaccess file, we need to add following contents for protecting files

#Protected file
<Files file1.htm>
#Password file path
AuthUserFile /web/.htpasswd
#Message for user to see
AuthName "Password protected"
AuthType Basic
#(If only allow specific user, use "require user username" if allow all valid users use "Require valid-user")
require user username

Note: if dealing with multiple files, filesmatch should be used.

<FilesMatch "file1\.htm|file2\.php">
AuthUserFile /web/.htpasswd
AuthName "Password protected"
AuthType Basic
require user username

Tip: Targeting files start with abc or def and end in .php

<FilesMatch "^(abc|def).php$">
AuthUserFile /web/.htpasswd
AuthName "Password protected"
AuthType Basic
require user username

1.3 We add following content to protect directories and the virtual path (We can use this method to protect multiple sub-directories/sub-folders/paths)

#Do the regex check against the URI here, if match, set the "require_auth" var
SetEnvIf Request_URI ^/ resource2\/B\/C\/D require_auth=true
SetEnvIf Request_URI ^/ resource3\/E require_auth=true
#Auth stuff
AuthUserFile /web/.htpasswd
AuthName "Password protected"
AuthType Basic
#Setup a deny/allow
Order Deny,Allow
#Deny from everyone
Deny from all
#except if either of these are satisfied
Satisfy any
#1. a valid authenticated user
Require valid-user
#or 2. the "require_auth" var is NOT set
Allow from env=!require_auth

1.4 We create a .htpasswd file under “web” directory

1.5 Open the .htpasswd file we add following contents (File contains username:hashed user password)


These password can be generated using htpasswd with following command:

$  sudo htpasswd -c /web/.htpasswd user1
(You will need to supply and confirm the password for the user)
$ sudo htpasswd /web/.htpasswd user2

Another way to protect current directory:

e.g. If we want to protect directory “A”

2.1 Creat a .htaccess file under in directory “A”, so we have “/web/resource1/A/.htaccess”

2.2 We add following content to the file

<Files ~ "^.(htaccess|htpasswd)$">
deny from all
AuthUserFile /web/resource1/A/.htpasswd
AuthGroupFile /dev/null
AuthName "Please enter your ID and password"
AuthType Basic
require valid-user 
order deny,allow

2.3 We create the .htpasswd file under “/web/resource1/A/”, so we have “/web/resource1/A/.htpasswd”

2.4 We generate password as in step 1.5 (We need to change path from “/web/.htpasswd” to “/web/resource1/A/.htpasswd”)

Now the directory “A” is protected


1 We can use online .htpasswd generator to create password for convenience

2 We can use online tools to generate .htaccess for convenience

Leave a Reply

Your email address will not be published. Required fields are marked *