i've been trying to some time to do this, but either i'm missing something... or something's just plain broken. :-) i'm trying to protect directories in apache, i've read the how-tos and several tutorials, but haven't been able to get it working.

my .htaccess file in the dir i want to protect looks like this:


AuthUserFile /usr/local/apache/auth/users
AuthGroupFile /dev/null
AuthName "password dir"
AuthType Basic

<Limit GET POST>
order deny,allow
deny from all
require valid-user
</Limit>


my access.conf file looks like:


<files ~ "/\.ht">
order deny,allow
deny from all
</files>

<Directory /mp3sync>
AllowOverride AuthConfig
</Directory>


yet i'm still never prompted for a passwd when accessing that dir via the web. so what am i missing?? i've been pulling my hair out for awhile.

It's probably in your Apache config. You need to allow AuthConfig and Limit on the directories in question.

Otherwise, Apache doesn't even bother looking to .htaccess files.

You might also want to check the value of "AccessFileName" to make sure is specifies ".htaccess".

..of course my example was more of a minimum. You could always "AllowOverride All"

i still can't get it to work... this is really driving me crazy, cause as far as i can tell i'm doing everything right. anyway, here's what i have in my httpd.conf file now:<BR><BR>

<Directory /mp3sync>
AllowOverride All
</Directory>


#ResourceConfig conf/srm.conf
#AccessConfig conf/access.conf


# AccessFileName: The name of the file to look for in each directory
# for access control information.
#
AccessFileName .htaccess


and my .htaccess file looks like:


AuthUserFile /usr/local/apache/auth/users
AuthGroupFile /dev/null
AuthName "w00t"
AuthType Basic

<Limit GET POST>
order deny,allow
deny from all
require valid-user

ok, how come this forum doesn't allow multiple line breaks anymore?

Is the "mp3sync" directory path on the file system actually "/"? The "Directory" directive needs the exact filesystem path for the directory, not the path relative to DocumentRoot. I would assume it's something more like "/blah/blah/mp3sync", of course I could be wrong

you know what? you're right... i actually figured that out last night. :-)

so now i have another question... is it possible to protect the directory based on the client's IP?

the situation is that i have this directory that i use mostly from my internal network (IPs are 192.168.1.x) which i would like to be able to access from my internal clients without hastle. however, on the rare occassion that i do access it from anywhere else on the inet, i'd like to be prompted for a passwd. i know it's possible using PHP in the index.php file, however i'd like to protect the entire directory and not just the index file. is this possible?

i appreciate the help. :-)

Sure - in the .htaccess:

If the user's IP is in one of the "allow from" lines they won't need a passwd. If not, they get the prompt (the "satisfy any" line).

i'll give that a try when i get home (blah... at work). you're the man. :-)

Here is one that asks for a password on https:// and will not ask for a password on http:// it will deny on http://

You should consider not sending your passwords over an unsecure connection.

<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>


Alias /upload /var/www/html/upload
<Directory /var/www/html/upload>
SSLRequiressl
EnablePut On
AuthType Basic
AuthName UploadAccess
AuthUserFile /etc/httpd/conf/.htpasswd
EnableDelete Off
umask 007
#<Limit PUT>
require valid-user
#</Limit>
</Directory>