apache .htaccess and htpasswd

jordanthompson · 02-06-2005, 02:30 PM

Hi there,
I am having trouble locking out a directory on my server (requiring username/password access)

I ran htpasswd -c .htpasswd username
and entered username's password

for now I have put .htpassword in the same directory I am trying to protect.

here are the access rights:
-rw-r--r-- 1 apache apache 79 Feb 5 23:32 .htaccess
-r--r--r-- 1 apache apache 23 Feb 5 23:30 .htpasswd
-rw-r--r-- 1 jordan thompsons 115 Feb 4 00:15 index.html

Here are the contents of .htaccess:
AuthName "Test"
AuthType Basic
AuthUserFile ".htpasswd"
require valid-user

Here are the contents of .htpasswd:
username:RnCYlrJTT7hwU

When I web to the directory, I get immediate access (no prompt for username/password.)

Any suggestions?

thanks for your help,
Jordan

jordanthompson · 02-07-2005, 12:29 PM

Any suggestions?

Artanicus · 02-07-2005, 12:55 PM

Well, for starters, is htaccess behaviour turned on in your apache? Uusally it is tho by default..

Heres one of my .htaccess:

Code:

AuthUserFile /absolute/www/root/path/.htpasswd
AuthGroupFile /dev/null
AuthName "Example auth"
AuthType Basic

<Limit GET POST>
require valid-user
</Limit>

This works fine with me, so the prob could be one or several of:
- you need to specify a group file
- you have to have a Limit section, especially the requiŕe valid user sounds pretty valuable.. (;
- And the full path might be required, Im not sure.. But hey, this one of mine works as it should..

Hope this helps in debugging

KimVette · 02-07-2005, 02:59 PM

You should make sure that your host/virtual host is configured to first deny, then allow.

Here is a sample (edited) .htaccess file I am using on one of my test machines:

Code:

Linux:/srv/www/htdocs/ # cat .htaccess

AuthType Basic
AuthName "Test_Login"
AuthUserFile /srv/www/AccessControl/passwords #This contains the name:password pairs

Deny from all #Note we are instructing Apache to deny everyone access

Allow from 192.168.1.0/255.255.255.0 #Now we are allowing only from specific IP ranges (e.g., if you want to allow only a certain company to access, or configure for an intranet, etc.) - you can omit IP restriction if you want

Require user foo  #You could require a user, list of users, or a group, etc.

Satisfy Any #Valid choices are "Any" or "All" which is equivalent to OR or AND logical operators, respectively.

KimVette · 02-07-2005, 03:02 PM

Now, why the HE-doublehockeysticks does this board apply emoticons to text between [ c0de] tags?!

Artanicus · 02-07-2005, 03:04 PM

Quote:

Originally posted by KimVette
Now, why the HE-doublehockeysticks does this board apply emoticons to text between [ c0de] tags?!

Indeed a fact I have wondered countless times.. d:

KimVette · 02-07-2005, 03:26 PM

Quote:

Originally posted by KimVette
You should make sure that your host/virtual host is configured to first deny, then allow.

Here is a sample (edited) .htaccess file I am using on one of my test machines:

Code:

Linux:/srv/www/htdocs/ # cat .htaccess AuthType Basic AuthName "Test_Login" AuthUserFile /srv/www/AccessControl/passwords #This contains the name:password pairs Deny from all #Note we are instructing Apache to deny everyone access Allow from 192.168.1.0/255.255.255.0 #Now we are allowing only from specific IP ranges (e.g., if you want to allow only a certain company to access, or configure for an intranet, etc.) - you can omit IP restriction if you want Require user foo #You could require a user, list of users, or a group, etc. Satisfy Any #Valid choices are "Any" or "All" which is equivalent to OR or AND logical operators, respectively.

Disabling smilies, leaving the original so mods and admins can see the problem with the board software. emoticon substitution code should ignore anything in the [c0de] section.

jordanthompson · 02-07-2005, 05:52 PM

Thanks for all of your help, but none of his is working...
Does it matter that the index.html file in the directory is redirectiing to a cgi?

<html>
<META HTTP-EQUIV="Refresh"
CONTENT="0; URL=http://www.mydomain.com/cgi-bin/movies.pl?action=">
</html>

When I web over to it, it just does the redirect and bataboom I am running the cgi.

Any suggestions?

jordanthompson · 02-07-2005, 05:59 PM

I think that there is something missing from my apache setup. Where is the setup file for apache and what should I be looking for?
thanks for your help.

Artanicus · 02-07-2005, 11:12 PM

imho the redirect shouldnt be a problem..

the config is usually located at /etc/apache/httpd.conf but it varies by distribution.. just do a 'locate httpd.conf'

Here are a few settings there considering .htaccess:

Code:

AccessFileName .htaccess

Code:

<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</Files>

And inside the main www root Directory settings tags:

Code:

    AllowOverride All # or something not as drastic, but this atleast works.. (: