Configure Apache User Passwords on Arch Linux

Configure Apache User Passwords on Arch Linux

Apache server by default does not have any authentication when accessing web directories. This may be desirable for only locally accessible addresses but would present a security and privacy issue when available externally. If you plant to setup No-IP DDNS on Arch Linux, custom DDNS on Arch Linux or just setup port forwarding on it’s own, it is important to secure all applications that will be accessible externally. Before configuring authentication make sure to install Apache web server.


Create Apache Passwords

Create a password file with htpasswd utility.

sudo htpasswd -c /etc/httpd/conf/passwords dom

By default htpasswd utility will append new passwords to the file but the -c option will create a new file which is what we want the first time. When prompted enter the password and then again to confirm it.


Configure Apache Authentication

Open the configuration file.

sudo nano /etc/httpd/conf/httpd.conf


Copy the options to the configuration file or to .htaccess file between <Directory> tags. Modify directives as necessary and save the file.

AuthType Basic
AuthName "Apache Web Root"
AuthBasicProvider file
AuthUserFile /etc/httpd/conf/passwords
Require valid-user

Allow from
Satisfy Any

The AuthType should always be set to basic. This sends the password unencrypted so if security is very important use SSL encryption. Realm is defined with AuthName directive which is often displayed on he login screen as well as used to eliminate password prompts when entering directories within the same realm. Type of password storage is defined with AuthBasicProvider and is by default file. The path of the passwords file is defined with AuthUserFile directive. Require directive specifies which users are allowed to log in. The value of valid-user allows all users that have an entry in the passwords file to log in.

Optionally the password authentication requirement can be removed for certain IP addresses which are defined with Allow from directive. The Satisfy directive needs to be set to Any. Alternatively it can be set to All which would require both the IP address to match and the password.


Restart the web server for the changes to take effect.

sudo systemctl restart httpd