.htaccess notes
Create a file containing users and encrypted passwords:
$ htpasswd -c .htpasswd username
I cat-ed the contents of that file to another .ht* file (means something to apache) that I placed in /var (outside of what’s published to the web).
I then ran the htpasswd command again with another user and again cat-ed it to the same file. (But I’m reading that you can skip the cat-ing part and for additional users simply call httpasswd /var/.htpasswd username. IOW, skip the -c switch.)
Then I put a .htaccess file in folder I wanted to protect. It contains:
AuthType Basic
AuthName "Some Description"
AuthUserFile /[home dir full path]/[passwordfile]
Require valid-user
Then I made sure both files were owned by root:root and chmod-ed to 644.
Edit /etc/apache2/apache2.conf and add this to the bottom:
<Directory "[path to password protected directory]">
AllowOverride AuthConfig
</Directory>