First make sure that .htaccess overrides are enabled in /etc/apache2/sites-enabled/domain.conf
Then create a .htaccess file in the directory you want to protect:
Options +Indexes AuthType Basic AuthName "Restricted Content" AuthUserFile /etc/apache2/ocna.htpasswd Require valid-user
Now create valid users in the file /etc/apache2/ocna.htpasswd:
htpasswd -c /etc/apache2/ocna.htpasswd username
For subsequent users, just use:
htpasswd /etc/apache2/ocna.htpasswd username
Ref:
https://www.digitalocean.com/community/tutorials/how-to-set-up-password-authentication-with-apache-on-ubuntu-14-04