hello everyone, and thank you for your help.

I am a novice at apache and am trying to protect my directories. I could use one of those management programs, but that wouldn't be any fun, right?

anyway, I opted to go with .htaccess and have been reading up on it. I created my .htaccess file, and then my password file using htpasswd.

AuthName "Please Input Credentials"
AuthUserFile /var/www/html/testaccess/passwordfile
AuthType Basic
require user user1

Then, I changed the httpd.conf file to read the following, then I restarted the service using 'service httpd restart'

<Directory />
Options FollowSymLinks
AllowOverride all
</Directory>

this is a fresh install of apache on Fedora 17. The default index.html file will pop up on the web browser with no authentication.

Any thoughts? Thanks again!

Can you paste full "httpd.conf" file? What happen if you made a some mistake in this .htaccess file, for example enter at beginning random characters. Server report error or display your index.html without errors?

I get the index.html page without any errors. It's like there's nothing happening.

I'm not so sure that you want me to post the entire httpd.conf file... it's rather large. Is there a portion of it that would be useful to see? The only changes I've made are to that particular 'AllowOverride all' line as well as changing my server name.

thank you for the help.

So, .htaccess is not readed at all. Check permissions, if user or group on which webserver is running has read access to it. Check all "AllowOverride" entries, maybe there are more specific which has "None" option set. Look also into files in "Include" directives if you have any.

well, I think I figured it out. You were correct about the httpd.conf file. There were two entries for <Directory>. The first was for the root directory and the sequential ones were for directories within the /var/www/html. So I added an entry:

<Directory "/var/www/html/testaccess">
AllowOverride All
</Directory>

Adding this below the other directories (I would assume) would load that command last and therefore would not be overridden by those other entries.

BTW, I changed the root directory back to AllowOverride None : ) ...that's the one that I had change originally.

Thank you for the help!

FYI use the httpd.conf file instead of htaccess
https://httpd.apache.org/docs/curren.../htaccess.html

I went ahead and tested this out with another directory that I created and it worked great. However, the authentication window said that the password is not being sent encrypted. out of curiosity, will the password be in plain text for sniffing programs to see?

I guess the only way to remedy that is to make the site secure and put the protected directory behind it. Is there a way to make the password inputs more secure?

Yes, in basic authentication passwords are sent in plain text and easily readable by sniffing. Some more secure method is a digest authentication Credentials data is somehow mangled and even readed by sniffer is probably not possible to guess password, but this method is not safe againts man in the middle attacks, as browser cannot authenticate server. Also any method of authentication you choose does not crypt data you transfer between browser and server. You need to use ssl certificates to crypt communication.