Home

AuthUserFile

AuthUserFile is an Apache HTTP Server directive that identifies the filesystem path to a password file used for HTTP Basic authentication. It is usable in contexts such as server config, virtual hosts, directories, and .htaccess files, and it specifies where the server should look for user credentials when access to restricted resources is requested.

The password file is typically created with the htpasswd utility and contains one line per user in

Multiple AuthUserFile directives can be used in a single configuration; Apache checks the listed files in order

Security considerations are important: the password file should be stored outside the web-accessible document root and

In practice, AuthUserFile is used to implement basic authentication for specific directories or resources, in combination

the
form
username:encrypted_password.
The
encryption
method
depends
on
how
the
file
was
created
(for
example,
with
options
that
select
MD5,
SHA,
or
bcrypt).
The
server
uses
the
hashed
values
to
verify
credentials
supplied
by
clients.
In
configuration,
AuthType
Basic
is
paired
with
authentication
directives
such
as
AuthName
and
a
Require
directive
(for
example,
Require
valid-user
or
Require
user
username).
until
a
matching
username
is
found.
The
directive’s
path
can
be
absolute
or
relative,
with
relative
paths
in
per-dir
contexts
resolved
relative
to
the
directory
to
which
the
restriction
applies.
protected
with
restrictive
filesystem
permissions
so
that
only
the
web
server
process
can
read
it.
It
should
be
owned
by
a
privileged
user
and
kept
up
to
date
as
users
are
added
or
removed.
Misconfigurations
or
overly
permissive
permissions
can
expose
credentials
or
undermine
access
control.
with
other
authentication
and
authorization
directives
to
control
who
may
access
protected
content.