protecting directories in apache

rogerdv · 07-02-2009, 11:31 AM

Im trying to protect a directory in my web server with password, or by allowing a few internal IPs. the problem is that even when I follow the tutorials, it doesnt works.
Im using virtual host and I add in the VH config this:

Code:

<Directory "/var/www/gh/administrator">
AuthType basic
AuthName "prompt"
AuthUserFile .htpass
Require valid-user
</Directory>

But it keeps asking for the password again and again. I have tried also adding

Code:

AuthGroupFile /etc/apache2/group
Require group MEMBERS
</Directory>

but it is the same

If I try to deny external IPs with this:

Code:

<Directory "/var/www/gh/administrator">
Allow from 192.168.1.7
Order deny, allow
Deny form all
</Directory>

Simply forbids all IPS. Any idea about how to deal with this?

bathory · 07-02-2009, 12:16 PM

You need a "AllowOverride AuthConfig" inside the <Directory "/var/www/gh/administrator"> definition.
Also make sure that the password file .htpass is in the above mentioned directory.
Note that's not a good idea to have your password file in a directory accessible via the web server.

Regards

rogerdv · 07-02-2009, 02:02 PM

The same, it keep asking the password.

dezza · 07-02-2009, 02:13 PM

Yes and what about the htpasswd file?

You have to create it ..

PHP:

Code:

 <?php echo crypt("password", base64_encode("password")); ?>

Or:
http://www.htaccesstools.com/htpasswd-generator/
http://www.htaccesstools.com/htaccess-authentication/

I cannot remember the shell version of echo'ing htpasswd files, but I've seen it in several tutorials.

Please add it if you have it somewhere.

bathory · 07-02-2009, 04:27 PM

The password file can be created using htpasswd. Just make sure it's readable by the user that runs apache.
You can check the apache error_log to see if you find any hints, why it keeps asking for the password.