[Practice 5] Password Protect for the website in EC2 — THE END

Co-author: Allie Hsu

Eileen Chu
4 min readSep 27, 2020

For the purpose of strengthening the security of the website, we can use .htaccess for password protection. All visitors will see a pop-up window prompting you to enter your username and password, and those who don’t know this information will be denied access to the website.

To set up .htaccess for a website in EC2, login to your EC2 then follow these steps:

  • Create a .htpasswd file in a new directory
  • Create a .htaccess file in the directory ‘/var/www/html’
  • Configure the file httpd.conf in the EC2

Create a .htpasswd file in a new directory

Firstly, we are going to create a new file named .htpasswd. The .htpasswd file aims to store the .htaccess username and password. In order to prevent unknown users from easily obtaining the password authentication of the website, we need to create a new, inaccessible directory to save the .htpasswd file, and it must not under the directory ‘/var/www/html’.

In this case, we named the new directory ‘private’ under the ‘/var/www’ to save the .htpasswd file:

cd /var/www
mkdir private
cd private
vim .htpasswd

Use a Password Encryption Program to create your passwords. Input your desire username and password, it will generate a crypt password line:

<username>:<encrypted password>
alpey:fJEcziXdnDx2I

Copy this line into your .htpasswd file then save the file.

Create a .htaccess file in the directory ‘/var/www/html’

The .htaccess file should be saved in the directory you want to protect, which means your directory ‘html’ in EC2.

cd /var/www/html
vim .htaccess

The .htaccess file content will include

  1. AuthUserFile: the route for your password file
  2. AuthName: can be changed into your own preference
  3. AuthType as Basic
  4. Require as valid-user, then save the file

When a user visits the website, the server will activate the .htpasswd file and ask for entering username and password. The system will validate the input by the crypt password line tracking through the AuthUserFile direction.

Configure the file httpd.conf in the EC2

But it won’t work for EC2 yet, you need to edit the related setting in the ‘httpd.config’ file.

cd /etc/httpd/conf/
vim /etc/httpd/conf/httpd.conf

Find the part which mentions <Directory ‘/var/www/html’> and set AllowOverride None into AllowOverride All. Save the file after changing.

Restart the http server to update the change:

service httpd restart

It should show ‘OK’ after restarting:

Once the server displays ‘OK’, the password protection setting via .htaccess is done.

When you open the browser and visit your website, a password protected window will pop up on the website. Enter the correct password for authentication to access the website.

Issue

In the last step, if it ‘FAILED’ after restarting:

It may be because other services are using the same port.

Use the command below to find out which service is using TCP port number 80 (the default webserver port):

sudo netstat -ltnp | grep ':80'

It would show the result as below:

Note:
0 :: :80 — Source IP: Port
11515/httpd — PID/Process name

Kill all connections that we are not using:

sudo kill -9 tcp *:httpd
sudo killall apache
sudo killall httpd
ps aux | grep apache

The process would look like below:

After killing all apache and httpd, the command netstat -tulpn | grep :80 will show nothing, which means there is no service using port 80. You can also check the httpd status by using the command:

service httpd status

The status shows httpd dead but pid file exists, then you can start the httpd server again:

service httpd start

After these steps, you will see the server shows ‘OK’. Congratulations on the successful troubleshooting. Now you can visit your website and see the password protection window shown on the website.

We hope that after these exercises, you will boost self-confidence in your abilities and understanding of these concepts. Wishing you all the best in your future endeavors.

Previous: [Practice 4] Host a PHP Dynamic Website on Amazon EC2

Thanks for reading! 😊If you enjoyed it, let's do finger cardio! Try how many times can you hit 👏 in 5 seconds. This will help more people see this story.

--

--