Table of Contents

Lighttpd setup a password protected directory (directories)

If you require authentication on certain directories using the Lighttpd web server, you can use Lighttpd's mod_auth module. It allows you to protect any directory in web server with access restrictions (just like Apache's password protected directory) .

Lighttpd supports both basic and digest authentication methods. Now consider following sample setup:

Domain name: theos.in
    Directory (DocRoot) to protect with a password: /home/lighttpd/theos.in/http/docs
    Username: vivek
    Lighttpd password file: /home/lighttpd/.lighttpdpassword (this file should be outside default http document root)

How do I use Basic authentication method?

Easy to implement and password stored in cleartext format using files. If you are going to use this method make sure you use SSL (Secure Socket Layer) connection/encryption.
Step #1: Open /etc/lighttpd/lighttpd.conf file

Make sure mod_auth is loaded:

server.modules += ( "mod_auth" )

Now add following three directives:

auth.debug = 2
auth.backend = "plain"
auth.backend.plain.userfile = "/home/lighttpd/.lighttpdpassword"

Where,

auth.debug = 2 : Specify debug level (0 turns off debug message, 1 for authentication ok message and 2 for detailed/verbose debugging message). This is useful for troubleshooting authentication problem. It logs message in access.log and error.log files
auth.backend = “plain” : You are using plain text backend (other options are ldap, htpasswd and others)
auth.backend.plain.userfile = “/home/lighttpd/.lighttpdpassword” : Filename of the username:password storage

Next, you need specify which directory you want to password protect. For example, consider directory /home/lighttpd/theos.in/http/docs directory. Find out your domains virtual hosting section (theos.in) and append following text:

auth.require = ( "/docs/" =>
(
"method" => "basic",
"realm" => "Password protected area",
"require" => "user=vivek"
)
)

Where,

auth.require = ( “/docs/” ⇒ : Directory name
“method” ⇒ “basic”, : Authentication type
“realm” ⇒ “Password protected area”, : Password realm/message
“require” ⇒ “user=vivek” : Only user vivek can use /docs/

At the end, your configuration should read as follows:

$HTTP["host"] == "theos.in" {
server.document-root = "/home/lighttpd/theos.in/http"
server.errorlog = "/var/log/lighttpd/theos.in/error.log"
accesslog.filename = "/var/log/lighttpd/theos.in/access.log"
auth.require = ( "/docs/" =>
(
"method" => "basic",
"realm" => "Password protected area",
"require" => "user=vivek"
)
)
}

Save and close the file.

Step # 2: Create a password file

Create a plain text username (vivek) and password file:

# vi /home/lighttpd/.lighttpdpassword

Append username:password:

vivek:mysecretepassword

Where,

vivek - is the name of a user. Please note that do not use a system user stored in /etc/passwd file. It is recommended that you use a different username that only exists for the purpose of authenticating password protected directories.
mysecretepassword - is the password for user vivek (must be in clear text format for plain text method)

Save and close the file. Make sure file /home/lighttpd/.lighttpdpassword is readable by lighttpd:

# chown lighttpd:lighttpd /home/lighttpd/.lighttpdpassword

Finally, restart lighttpd server:

# /etc/init.d/lighttpd restart

Step # 3: Test your configuration

Fire your browser and point a web browser to http://yourdomain.com/docs/ or http://localhost/docs/ or http://ip-address/docs. You should be prompted for a username and password.

This way you can restrict access to certain areas of your website. Make sure you also use SSL encryption for authenticating users and secure digest authentication.