I wish lighttpd was as well supported as Apache.

lighttpd/htaccess Protection

June 6th, 2009
Tags:

First, make sure mod_auth is enabled in lighttpd.conf, in the big giant list o’ modules near the top of the config.

Then:

auth.backend = "plain"
auth.backend.plain.userfile = "/path/to/your/htpasswd_file"
auth.require = ( "/" =>
	(
		"method" => "basic",
		"realm" => "Password protected area",
		"require" => "valid-user"
	)
)

The htpasswd_file should be located outside of a docroot (you don’t really want people downloading it, now, do you?) and is, for all intents and purposes, a conventional htpasswd file. That is, you can use the htpasswd utility to generate it, or if you’re lazy, one of the many web-based utilities out there. (Google for .htpasswd generator)

The auth.require line – or rather, the first part, is what’s being protected. / should cover the whole docroot; if you wanted to protect a subdirectory, you’d just use “/mysubdirectory/” for example.