Skip to content

How to Fix Apache htpasswd Authentication Error

DodaTech Updated 2026-06-24 2 min read

In this tutorial, you'll learn about How to Fix Apache htpasswd Authentication Error. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

Apache returns 401 Unauthorized even with correct credentials, or the browser shows the login prompt repeatedly — the htpasswd file is missing, has wrong permissions, or the auth configuration is incorrect.

The Problem

$ curl -u admin:password http://localhost/admin/
401 Unauthorized

Step-by-Step Fix

Step 1: Create the password file

# Create new file with first user
sudo htpasswd -c /etc/apache2/.htpasswd admin

# Add more users
sudo htpasswd /etc/apache2/.htpasswd user2

Step 2: Set correct permissions

sudo chown www-data:www-data /etc/apache2/.htpasswd
sudo chmod 640 /etc/apache2/.htpasswd

Step 3: Configure Apache authentication

<Directory /var/www/html/admin>
    AuthType Basic
    AuthName "Restricted Area"
    AuthUserFile /etc/apache2/.htpasswd
    Require valid-user
</Directory>

Step 4: Use authentication in .htaccess

# /var/www/html/admin/.htaccess
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user

Step 5: Verify password file contents

sudo cat /etc/apache2/.htpasswd
# Format: username:$apr1$... (hashed password)

Step 6: Test authentication

curl -u admin:password -I http://localhost/admin/
# Or test with wrong password to verify
curl -u admin:wrong -I http://localhost/admin/

Prevention Tips

  • Store .htpasswd files outside the document root
  • Use htpasswd -B for bcrypt password hashing (more secure)
  • Restrict .htpasswd file permissions to 640 or 600
  • Use Require directives to allow specific users or groups

Common Mistakes with htpasswd auth

  1. Mixing let bindings with <- bindings in do notation, producing type errors
  2. Overlapping type class instances that cause GHC to reject the program with ambiguous dispatch errors
  3. Non-exhaustive pattern matches that compile with warnings then crash at runtime

These mistakes appear frequently in real-world APACHE code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

### Why does Apache keep asking for a password even after entering correct credentials?

The browser is sending the wrong credentials or the password file is not being found. Check the AuthUserFile path is absolute and readable by the Apache user. Also check that no other authentication method is conflicting, such as a parent directory's .htaccess.

How do I change a user's password in htpasswd?

Run sudo htpasswd /etc/apache2/.htpasswd username (without the -c flag). The -c flag creates a new file and deletes existing users. Without -c, it updates the specified user's password in the existing file.

What is the difference between Require valid-user and Require user admin?

Require valid-user allows any user listed in the AuthUserFile. Require user admin allows only the specified user (admin). Use Require valid-user for general access control and Require user for fine-grained per-user permissions.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro