Protect Folder With Htpasswd In Apache

Below is showing what the end result will look like and what this article will help you achieve.

Step 1 – Create the folder and set the permissions on it

If the folder you want secured doesn’t exist, go ahead and create it. Then set the correct permissions and owner for the folder. I am using www-data as our folder owner as this is the owner that apache website runs as.

1.  cd /var/www/html

2.  mkdir secured_folder

3.  chmod 744 secured_folder

4.  chown www-data.www-data secured_folder

5.  cd secured_folder

Step 2 – Create your .htaccess file

Change to the ‘secured_folder’ and create an .htaccess file inside their with the contents below. This will add the username and password security to the folder.

1.  AuthUserFile /var/www/.htpasswd

2.  AuthGroupFile /dev/null

3.  AuthName "My protected files"

4.  AuthType Basic

5.  <Limit GET>

6.         require valid-user

7.  </Limit>

** the path to the .htpasswd is what you put there. You can multiple with different names for each folder that you want to secure.

Step 3 – Create the username and password for .htpasswd file

Now change to the folder you want your .htpasswd is to be stored in. We specified /var/www/.htpasswd as you can see the above for ‘AuthUserFile’. Then use the htpasswd function in your command line to create the username and password for the folder you want to secure. It is recommended that you leave this file outside of the actual website folder.

1.  cd /var/www/

2.  htpasswd -c .htpasswd username1

You will be asked to enter a password for ‘username1′.

 ** Replace .htpasswd with what you created above. Can be folder specific.

Step 4 – Adding more users to .htpasswd file (optional)

If you would like to add multiple users to the same .htpasswd file then don’t add the ‘-c’ option.

1.  cd /var/www

2.  htpasswd .htpasswd username2

3.          you will be asked to enter a password for 'username2'

4.  htpasswd .htpasswd username3

5.          you will be asked to enter a password for 'username3'

Now when you go to visit your page, it will prompt you to enter a username and password before you can access the page.

 ** Replace .htpasswd with what you created above. Can be folder specific.

Disable Apache Cache

#Initialize mod_rewrite
RewriteEngine On
<FilesMatch "\.(html|htm|js|css)$">
  FileETag None
  <IfModule mod_headers.c>
    Header unset ETag
    Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
    Header set Pragma "no-cache"
    Header set Expires "Wed, 12 Jan 1980 05:00:00 GMT"

Link to folder share in Apache

This should be in your website conf

Alias /library /media/library

<Directory /media/library/>


   Options Indexes FollowSymLinks
   AllowOverride None

   Order Deny,Allow


    AuthName "Rich's Personal Library"

    AuthType Basic

        AuthUserFile /var/www/

        Require valid-user


This should be similar in /etc/fstab

//  /media/library  cifs username=<user>,password=<pass>,defaults  0  0

renamed from eth0:

$ sudo nano /etc/default/grub

Look for “GRUB_CMDLINE_LINUX”  and add the following "net.ifnames=0 biosdevname=0"




	GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"
Then Write the Changes:
$ sudo grub-mkconfig -o /boot/grub/grub.cfg

	Generating grub configuration file ...
	Warning: Setting GRUB_TIMEOUT to a non-zero value when GRUB_HIDDEN_TIMEOUT is set is no longer supported.
	Found linux image: /boot/vmlinuz-4.4.0-15-generic
	Found initrd image: /boot/initrd.img-4.4.0-15-generic
	Found memtest86+ image: /memtest86+.elf
	Found memtest86+ image: /memtest86+.bin

SSL Cert in Apache

This is what the config file should look like. Essentially, you want to match up the appropriate files to the certificates that you're using. 

<VirtualHost *:443> ServerAdmin DocumentRoot /var/www/elearn ServerName ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on SSLCertificateFile /etc/apache2/ssl/public.crt SSLCertificateKeyFile /etc/apache2/ssl/private.key SSLCertificateChainFile /etc/apache2/ssl/intermediate.crt </VirtualHost>

SSL CSR with OpenSSL and Response

First, create a file for config of any SANs (Subject Alt Names) you need

ie:  san.cnf

[ req ]

default_bits       = 2048

distinguished_name = req_distinguished_name

req_extensions     = req_ext

[ req_distinguished_name ]

countryName                 = Country Name (2 letter code)

stateOrProvinceName         = State or Province Name (full name)

localityName               = Locality Name (eg, city)

organizationName           = Organization Name (eg, company)

commonName                 = Common Name (e.g. server FQDN or YOUR name)

[ req_ext ]

subjectAltName = @alt_names


DNS.1   =

DNS.2   =

DNS.3   =

Create the CSR and Private Key now

	openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout private.key -config san.cnf
Verify SAN
	openssl req -noout -text -in sslcert.csr | grep DNS
	[root@Chandan test]# openssl req -noout -text -in sslcert.csr | grep DNS
	[root@Chandan test]#
Create p12 file from CA Response
	openssl pkcs12 -export -in <CAreply> -inkey private.key 
	  -certfile <intermediates.cert.pem> -name "" 
Create pfx file from CA Response
openssl pkcs12 -export -in www_crouse_org.crt -inkey www_crouse_org.key  -name ""  -out
    -certfile <intermediates.cert.pem> 

How to work with certs in Apache

Updated 2020-02-15 with newer instructions that make more sense

# WinSCP the wildcard cert (at time of writing), 2018-19-Wildcard.pfx, to the ~/

# WinSCP the intermediate cert to ~/

# You will need the password for the root combo pfx

# Copy the intermediate to its home (If applicable)

sudo cp ~/intermediate.crt /etc/apache2/ssl/intermediate.crt

# Export public key

openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [public.key]

# Copy the public key to its home

sudo cp ~/public.key /etc/apache2/ssl/public.key

# Extract the Private cert from the pfx

openssl pkcs12 -in [yourfile.pfx] -nocerts -out [private-encrypted.key]

# Copy the private key to its home

sudo cp ~/private-encrypted.key /etc/apache2/ssl/private-encrypted.key

# This will remove the key so that Apache2 can start without having to sign in to paste in the key

sudo openssl rsa -in ~/private-encrypted.key -out /etc/apache2/ssl/private.key

# Restart Apache2

sudo /etc/init.d/apache2 restart

PEM with RSA Private key (ie NetScaler)

Example with this: snet.crouse.org_password.pfx

openssl pkcs12 -in snet.crouse.org_password.pfx -out snet.crouse.org_2020.pem -nodes

openssl rsa -outform der -in  snet.crouse.org_2020.pem -out  snet.crouse.org_2020_rsa_private.key

penssl x509 -outform der -in snet.crouse.org_2020.pem -out snet.crouse.org_2020_private.cer

How to get .pem file from .key and .crt files?

openssl rsa -in server.key -text > private.pem

openssl x509 -inform PEM -in server.crt > public.pem

Remove password from a PFX file

openssl pkcs12 -in pfx.pfx -nodes | openssl pkcs12 -export -keypbe NONE -certpbe NONE -out output.pfx  

Get all Trusted Root Certs ,trusted

# Use rootups on Windows to download all Trusted Root Authorities

# Select all and export with a key

# SCP to Linux box

# Copy your certificate in PEM format (the format that has ----BEGIN CERTIFICATE---- in it)

sudo openssl pkcs12 -in AllRoots.pfx -out /usr/local/share/ca-certificates/allroots.crt -cacerts

# into /usr/local/share/ca-certificates and name it with a .crt file extension.

sudo update-ca-certificates.

Validate cert chain of website

openssl s_client -showcerts -connect

PFX to PEM, quickly

openssl pkcs12 -in d:\Temp\cert.pfx -out d:\Temp\cert.pem -nodes

The -nodes removes the password from the created PEM file. If you wish to maintain the password encryption omit the -nodes however this may make it difficult to use the PEM file on your device. You will be prompted to type the password for the pfx file.

DER to CRT/PEM (to base64), quickly

As you have the openssl tag on your question, you should use:

openssl x509 -inform der -in infile.cer -out outfile.cer

In the reverse direction:

openssl x509 -outform der -in infile.cer -out outfile.cer


Apache ReWrite to SSL

$ sudo a2enmod rewrite 

Put this in your *:80 section of your config

RewriteEngine On

RewriteCond %{HTTPS} !on

RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Grab all subject alt name from a cert

openssl s_client -connect | openssl x509 -noout -text | grep DNS  

Example with "":

2020-02-15 13_06_33-Window

# Get all certs in a chain

openssl s_client -showcerts -verify 5 -connect $1:443 < /dev/null |

   awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{ if(/BEGIN CERTIFICATE/){a++}; out="cert"a".pem"; print >out}'

for cert in *.pem; do 

        newname=$(openssl x509 -noout -subject -in $cert | sed -nE 's/.*CN ?= ?(.*)/\1/; s/[ ,.*]/_/g; s/__/_/g; s/_-_/-/; s/^_//g;p' | tr '[:upper:]' '[:lower:]').pem

        echo "${newname}"; 

         # mv "${cert}" "${newname}" 


List Cert details

echo quit | openssl s_client -showcerts -servername $1 -connect $1:443 > cacert.pem

Let's Encrypt Generate a manual certificate

LetsEncrypt Certificate Request
sudo certbot run -a manual -i apache -d