Need to password protect Apache subdir

audiodef · 07-12-2014, 10:03 AM

I need to password protect an Apache subdir with HTTP authentication of some kind. I don't really care if it's basic auth or MySQL auth. I just need to keep the public from being able to see a specific subdir of a public site.

My server OS is Ubuntu Server. I've tried posting to their forums, but that didn't help much. I've tried a few things already, but basically, when I think I've done it correctly, I get an HTTP auth dialog, enter the correct user/pass, and I get:

Code:

Unauthorized

This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

What I've tried so far is to edit my vhost conf like so:

Code:

<VirtualHost *:80>
    ServerAdmin (email)
    ServerName (domain).com
    ServerAlias www.(domain).com
    DocumentRoot /var/www/(dir)
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/(dir)/(subdir)>
        AuthType Basic
        AuthName "Authentication Required"
        AuthUserFile "/path/to/authfile"
        Require valid-user
        Order allow,deny
        Allow from all
</Directory>
</VirtualHost>

I don't see anything wrong with this, and I'm hoping someone can tell me why I'm getting the Unauthorized error and what I should to do fix it. (I have correctly created the authfile with htpasswd, as well.)

bathory · 07-12-2014, 12:43 PM

Quote:

I don't see anything wrong with this, and I'm hoping someone can tell me why I'm getting the Unauthorized error and what I should to do fix it. (I have correctly created the authfile with htpasswd, as well.)

Your config looks correct. What do the apache logs say?

audiodef · 07-13-2014, 08:11 PM

The log says

Code:

[Sun Jul 13 21:13:16.809158 2014] [:error] [pid 17914] No requires line available

bathory · 07-14-2014, 01:56 AM

Quote:

Originally Posted by audiodef

The log says

Code:

[Sun Jul 13 21:13:16.809158 2014] [:error] [pid 17914] No requires line available

Well. as I told you your config looks correct. On the other hand the error above, comes from mod_auth_mysql, so that makes me think that there are some remains of it in the configuration, or perhaps in a .htaccess file.

audiodef · 07-14-2014, 12:29 PM

auth_mysql is required for other things, so I can't troubleshoot by disabling it. I've reported this as a bug to Ubuntu Server (14.04) and I'm SERIOUSLY thinking of blowing away my entire server setup and going with a distro that, well, actually works.

rubanek · 07-14-2014, 03:14 PM

I'll bet you your version of Apache is 2.4.

Apache changed the directive to secure directories from the "Allow/Deny" scheme to a new "Requires" scheme when the jumped from 2.2 to 2.4. Do a google search for "Apache 2.4" access control.

I found this link: http://httpd.apache.org/docs/current/howto/access.html

There is says the following:

Quote:

The Allow, Deny, and Order directives, provided by mod_access_compat, are deprecated and will go away in a future version. You should avoid using them, and avoid outdated tutorials recommending their use.

You need a requires directive like so:

Quote:

Require all granted

Hence your error message of:

Quote:

No requires line available

audiodef · 07-14-2014, 04:21 PM

I appreciate the replies. :-)

I went with an entirely different solution, as Ubuntu clearly has a bug in their setup and I can't wait around for a fix. :-)

bathory · 07-15-2014, 03:01 AM

Quote:

Originally Posted by audiodef

I appreciate the replies. :-)

I went with an entirely different solution, as Ubuntu clearly has a bug in their setup and I can't wait around for a fix. :-)

It's not actually a bug. Apache has dropped mod_auth_mysql in favor of mod_authn_dbd and apparently Ubuntu suffers from this.
Have a look here for more details

Regards