Password-protect A lighttpd Web Server on a Raspberry Pi Using mod_auth

Password protect a lighttpd Web server.

Requirements For This Walkthrough

Resources

Walkthrough

Set Up A lighttpd Web Server on the Raspberry Pi

If you haven’t already, set up a Web Server on the Raspberry Pi.

Create A Password File

This file can go anywhere, but for simplicity in this walkthrough, we’ll store it in /etc/lighttpd/.htpasswd .

Create the hideen .htpasswd  directory:

sudo mkdir /etc/lighttpd/.htpasswd

Next, create a script that will hash a user’s password and put everything in the right format for the file.  Make a new file called hash.sh  (or whatever you want) with the following content:

#!/bin/sh
user=$1
realm=$2
pass=$3
hash=`echo -n "$user:$realm:$pass" | md5sum | cut -b -32`
echo "$user:$realm:$hash"

Make the file executable:

chmod 755 ./hash.sh

Add A User to the Password File

Run the script with three arguments: a user, a realm, and a password (which will get hashed).

./hash.sh 'username' 'myrealm' 'password'

The output will look like this:

username:myrealm:<long_string_of_numbers_and_letters>

Create the the password file and paste in the output of the command above:

sudo nano /etc/lighttpd/.htpasswd/lighttpd-htdigest.user

Enable mod_auth

Add the following to the /etc/lighttpd/lighttpd.conf  (highlighted lines).  The directory you want to password protect will go on this line: auth.require = ( “/Directory/To/Protect/” =>

server.modules = (
	"mod_access",
	"mod_alias",
	"mod_compress",
        "mod_redirect",
	"mod_auth",
#       "mod_rewrite",
)

server.document-root        = "/var/www"
server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
server.errorlog             = "/var/log/lighttpd/error.log"
server.pid-file             = "/var/run/lighttpd.pid"
server.username             = "www-data"
server.groupname            = "www-data"
server.port                 = 80


index-file.names            = ( "index.php", "index.html", "index.lighttpd.html" )
url.access-deny             = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

compress.cache-dir          = "/var/cache/lighttpd/compress/"
compress.filetype           = ( "application/javascript", "text/css", "text/html", "text/plain" )

# default listening port for IPv6 falls back to the IPv4 port
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.assign.pl"
include_shell "/usr/share/lighttpd/include-conf-enabled.pl"

auth.backend = "htdigest"                                                          
auth.backend.htdigest.userfile = "/etc/lighttpd/.htpasswd/lighttpd-htdigest.user" 
auth.require = ( "/path/to/protect/" =>
    (
    "method"  => "digest",
    "realm"   => "myrealm",
    "require" => "valid-user"
    ),
)

Restart the Web Server

Restart lighttpd to apply all the changes:

sudo service lighttpd restart

Your site should now prompt for a password whenever you navigate to the directory you chose to password-protect.

6 Replies to “Password-protect A lighttpd Web Server on a Raspberry Pi Using mod_auth”

  1. Hey Jacob, I’ve really enjoyed you work!

    Having some trouble getting this working on my Pi-Hole. Have followed your steps. but it won’t prompt for UN/PW.

    the only difference I can see in the .conf is the root-document “var/www/html”

    My goal is to protect the entire admin console for the pi-hole, any help would be much appreciated.

    1. Did you restart lighttpd after making the changes? I haven’t tried this on the Pi-hole, but I’ll see if I can replicate the issue.

      1. Hey Jacob, I figured this out. in the lighted.conf it needs to have the password requirements underneath the section about the admin page. So under the index page if that makes sense.

  2. Good article.
    Unfortunately this wouldn’t work for me.

    When i ever execute this command “./hash.sh ‘username’ ‘myrealm’ ‘password'”
    I get an output of “-bash: ./hash.sh: /bin/sh^M: bad interpreter: No such file or directory”

    Any ideas?

Leave a Reply