It took a few attempts but I finally managed to set up a password protected directory using apache mod_auth_digest. The apache documentation is actually pretty good, but omitted one crucial fact for those of us who don’t have control over the apache server configuration.

My site is hosted under a shared hosting plan, so the only configuration I can do is via the .htaccess file. I wanted to create a directory that would require password authentication. I don’t plan to keep anything particularly sensitive there, but it’s convenient to have somewhere to stash miscellaneous junk.

So mod_auth_digest seemed like just the ticket. The steps required were:

  1. Create the directory.
  2. Create the password file. The tool for this is htdigest. On its command line you tell it the “realm” and the username that you want to create. The realm is the label that will (eventually) be displayed on the login dialog box, and must match the AuthName setting in the next step.
  3. Create a .htaccess in the directory you just created. This is the key information that isn’t mentioned in the apache documentation. Initially I thought you could just update the .htaccess file in the web root directory, and specify the protected URI - and the documentation seems to actually say that. But, at least on my shared host, this did not work.

An example .htaccess:

<ifModule mod_auth_digest.c>
    AuthType Digest
    AuthName "Some Name"
    AuthDigestDomain /top_secret_path/
    AuthDigestProvider file
    AuthUserFile /some/path/readable/by/apache.digest.passwd
    AuthDigestNonceLifetime 3600
    Require valid-user

The file specified in AuthUserFile is the one you created (or updated) using htdigest, and “Some Name” is the realm you told htdigest to associate the user with.

If things go wrong, have a look at your web server error log. Apache does a nice job of saying exactly what it didn’t like.

And that’s about it. You’ll end up with something that’s slighly harder to get at then a directory protected by basic authentication (clear text password sent on every http request).