HomeApache Page 2 - An Introduction to Security Measures in Apache 2.2
Configure it right - Apache
This article is aimed at giving you a practical and interesting introduction to the two methods of authentication available to you as an administrator of Apache. It is only a first step, and not intended as the only step if you are configuring a commercial web server.
The following directives can be placed either into the main Apache configuration file, the httpd.conf file, or into individual .htaccess files (or distributed configuration files). However, it is recommended that they be placed into the configuration file rather than using the .htaccess method. The reason for this is for both performance and security. Apache will look in every directory for .htaccess files every time a document is requested if it is configured to allow them.
The security aspect is less of a problem when used in the scenario of this tutorial because you probably aren't an ISP with lots of users wanting to configure their own directories, however, a misconfiguration of the <FilesMatch "^.ht"> directive will allow remote users to view the files in a browser. Apache themselves state that .htaccess files should only ever be used when you don't have access to the main server configuration file, so heed their advice and save yourself problems if you are ever in a position of making these kinds of configuration decisions on a live, publicly accessed web server.
The following statements can happily reside in any <Directory> section of your configuration file. The folder I use to serve documents from on my own machine is C:www but you could just as easily share and protect your music folder.
Firstly, we specify the path to the file that contains the usernames and passwords. Next we declare which type of authentication we are using. The AuthName directive allows us to set the text that appears in the header of the credentials prompt and also allows us to set a realm where an already authenticated visitor can request other protected directories (provided they also have AuthName "Restricted Area" in their respective <directory> section) without needing to enter the password again.
Finally, the Require directive states that any authenticated visitors may access the directory. Alternatively, you could specify individual users that are allowed access. There are other directives that can be used, such as the Satisfy statement, but in this situation, nothing else is required.