technical documents

basic http authentication with lighttpd

Posted by: Dan on July 29, 2007 01:07:01 PM +00:00
Password protection can limit access to your website or a specific sub-directory.


Make sure you enable mod_access and mod_auth in your lighttpd.conf:

server.modules += ( "mod_access" )
server.modules += ( "mod_auth" )


#htpasswd -c ~/lighttpd/foo-auth.xt username

Running this command will prompt for this user's new password to store in the txt file. Combining this with a special $HTTP["host"] conditional ruleset in our lighttpd.conf will allow us to enable BASIC http authentication.

$HTTP["host"] =~ ".*domainroot.*" {
$HTTP["url"] =~ "^/somesubdir/" {
auth.backend = "htpasswd"
auth.backend.htpasswd.userfile = "/home/you/lighttpd/foo-auth.txt"
auth.require = ("/somesubdir" => (
"method" => "basic",
"realm" => "anything",
"require" => "valid-user"

Plain Text

If you don't have access to htpasswd or don't care if the password is not encrypted, you can simply create a plain text file with the following:


"Username" can be any user name you like and the "123" is the password.

The configuration is a little different for this form of authentication:

$HTTP["url"] =~ "^/somesubdir" {
auth.backend = "plain"
auth.backend.plain.userfile = "/home/you/lighttpd/foo-auth.txt"
auth.require = ("/somesubdir" => (
"method" => "basic",
"realm" => "whatever",
"require" => "valid-user"

Once this is in place, restart your lighttpd instance and users visiting the now protected url will be prompted with something like this:


Updated: 30 Sep 10 16:15