In many situations, HTTP services are public and intended to be accessed by anyone with the ability to connect to the server. However, there are a number of cases where site administrators need to have some additional control over which users can access the server. In these contexts, it is useful to require users to submit authentication credentials (e.g. usernames and passwords) to a site before gaining access to a resource. This guide provides an overview of both credential-based and rule-based access control tools for the Apache HTTP server. We assume that you have a working installation of Apache and have access to modify configuration files. Contents Configuring HTTP Authentication Generating HTTP AUTH Passwords Access Control Lists with Groups The Caveats of HTTP Authentication More Information Configuring HTTP Authentication To enable passwords for a directory, insert the following lines into the appropriate <Directory> section of an Apache configuration file. You may also insert authentication information in an .htaccess file or in a virtual host configuration section. The required directives are: File excerpt:Apache Configuration File AuthType Basic AuthUserFile /srv/auth/.htpasswd AuthName "Sign In Here To Gain Access To the Site" Require valid-user The AuthType directive specifies which authentication method Apache should use when connecting with clients. Basic requires that passwords be sent as clear text over the network. As a result we don't recommend using this to protect sensitive resources. The AuthUserFile specifies the path (in full) to the password file where the passwords are stored. The AuthName directive contains the message which the browser uses to inform the user of what resource they're authenticating to. The value is arbitrary. The "Require valid-user" setting simply tells Apache…