OpenBSD Blog #14: Password-protecting httpd(8) with htpasswd(1)

The htpasswd program comes with OpenBSD and uses bcyrpt(3) hashing to create a password (or password file).

The easiest way to create a password file is to let htpasswd create it for you by supplying the filename and a user entry to create (if the entry already exists, it will be updated, so you can use this same command to change passwords).

Use the httpd.conf(5) directive authenticate.

You can either secure the whole virtual server:

Or just a location:

The htpasswords file name and location are up to you, but remember that the file path must be relative to the httpd instance’s chroot path (also defined in httpd.conf).

Note: I found that htpasswd created the password file with 0600 permissions. I needed to use chmod to give the httpd daemon permission to read it. There were no messages in error.log or access.log and no indication that the daemon was unable to read the file - the login simply failed as if I had mistyped it.

Reload the configuration with, e.g. doas rcctl reload httpd.

You do not need to reload httpd again after making changes to the password file. It will be read afresh with each login attempt.

Now accessing the server (or location) as specified in httpd.conf pops up the standard browser login box asking for a username and password.

After success, you can confirm it’s working by viewing network traffic in your browser dev tools. Look for the "basic auth" type in the HTTP request header like so:

The user name will also appear in the web server access.log:

Note that basic auth (developer.mozilla.org) is transmitted as base64 encoding (essentially plain text), so if you’re using this over the public Internet, make sure you’re only doing it with TLS encryption so you don’t accidentally send your password in the clear!