How to enable basic authentication in Apache

Basic authentication adds a lightweight username/password gate in front of a URL path, which is useful for staging sites, internal dashboards, and temporary protection of admin endpoints while access rules are being finalized.

When a protected URL is requested, the server responds with a 401 challenge and a WWW-Authenticate header, and the client retries with an Authorization: Basic header. Apache validates those credentials using modules such as mod_auth_basic and an authentication provider like mod_authn_file, which reads hashed passwords from a file created with htpasswd.

Basic authentication must be paired with HTTPS because the credentials are only base64-encoded, not encrypted. Keep the password file outside the web root, restrict permissions so only the Apache runtime user can read it, and remember that htpasswd -c overwrites an existing password file. The command examples use Debian and Ubuntu conventions (a2enmod, unit name apache2), with common RHEL-family differences called out in WRAPs.

Steps to enable basic authentication in Apache:

Enable the authentication modules when required by the distro packaging.

$ sudo a2enmod auth_basic authn_file
Considering dependency authn_core for auth_basic:
Module authn_core already enabled
Module auth_basic already enabled
Module authn_file already enabled

On RHEL-family systems, these modules are commonly available and loaded by default.

Install the password-file tool on Debian-style systems.

$ sudo apt update
##### snipped #####
$ sudo apt install --assume-yes apache2-utils
apache2-utils is already the newest version (2.4.58-1ubuntu8.8).
##### snipped #####

On RHEL-family systems, install httpd-tools.

Create a password file outside the web root with the first user entry.
```
$ sudo htpasswd -bc /etc/apache2/.htpasswd admin S3cretPass123
Adding password for user admin
```
The -c option creates a new file and overwrites an existing one, so omit it when adding additional users (example: sudo htpasswd /etc/apache2/.htpasswd alice).
Restrict password file ownership and permissions.
```
$ sudo chown root:www-data /etc/apache2/.htpasswd
$ sudo chmod 0640 /etc/apache2/.htpasswd
```
If the Apache runtime user cannot read the password file, authentication fails with 500 and an auth provider error in the error log.
Add authentication directives to the protected path in the virtual host configuration.
```
<Location "/admin">
    AuthType Basic
    AuthName "Restricted"
    AuthUserFile /etc/apache2/.htpasswd
    Require valid-user
</Location>
```
Place the block inside the matching VirtualHost so protection applies only to that site.
Validate configuration syntax before reloading Apache.
```
$ sudo apachectl configtest
Syntax OK
```
Related: How to test your Apache configuration
Reload Apache to apply the new configuration.
```
$ sudo systemctl reload apache2
```
On RHEL-family systems, the unit name is commonly httpd.

Related: How to manage the Apache web server service

Verify authentication responses for unauthenticated and authenticated requests.

$ curl -sI -H 'Host: example.com' http://127.0.0.1/admin/
HTTP/1.1 401 Unauthorized
Date: Sat, 10 Jan 2026 05:21:19 GMT
Server: Apache/2.4.58 (Ubuntu)
WWW-Authenticate: Basic realm="Restricted"
Content-Type: text/html; charset=iso-8859-1
##### snipped #####

$ curl -sI -H 'Host: example.com' -u admin:******** http://127.0.0.1/admin/
HTTP/1.1 200 OK
Date: Sat, 10 Jan 2026 05:21:19 GMT
Server: Apache/2.4.58 (Ubuntu)
Last-Modified: Sat, 10 Jan 2026 05:21:18 GMT
ETag: W/"a-64801cfc77738"
Accept-Ranges: bytes
Content-Length: 10
Content-Type: text/html
##### snipped #####

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.