I've been trying to install password protection in a subdirectory of my Apache 2.4 (Windows 10) htdocs directory.
I started with an external .htaccess file and migrated to adding the data to a entyr in the httpd.conf file.
I place the .htpasswd file in the directory above htdocs (root?) and refer to the directory as '/.htaccess'. I ran Process Monitor (formerly from SysInternals) and know the .htpasswd and .htaccess files were being found and read.
I access the protected directory using three different addresses:127.0.0.1(localhost);192.168.0.101; and 'jimjulian.ddns.net'.
In each case, the password form pops up once, I fill out the form, get entry and close. In each case, I have access from then on, without the form.
I tried erasing the browser (Chrome) cache, but to no end.
Is there anything I've overlooked? Anything I can try?
.htaccess contents:
AuthType Basic
AuthName 'Area51'
AuthUserFile 'C:\Apache24\.htpasswd'
require valid-user
I wasn't sure what to do with the AllowOverride. Seemed to me, the default setting, None, would nullify the contents of the .htaccess
So I set that to All in the conf file
Two revelations solved the problem.
My dns updater for No-IP was not running.
Even though I cleared the browsing history and cache regularly, I didn't realize until just now, and after installing another browser for comparisons, that passwords and usernames were being held the length of the session. Once I closed the browser and reopened, and cleared the cache again, the password popup, popped up. Perhaps this will benefit someone.
Related
Disclaimer: I have little to no knowledge of Apache, all the information posted here was pieced together from Google search results only, within 1 night.
--
I can't seem to get .htaccess to block only the sub-directories of my domain, could someone please help me?
My root domain: http://domain.com (/home/username/domain/)
The directory I'm trying to block is /home/username/domain/files/
In the /domain/ directory, I have modified the .htaccess file accordingly:
# Password Protect Directories #
AuthName "You shall not pass!"
AuthType Basic
AuthUserFile /home/username/domain/files.htpasswd
require valid-user
# END Password Protect Directories #
The problem is, this seems to password protect my root directory as well as the sub-directory specified.
--
I've tried moving this .htaccess file entry into a separate .htaccess file in the /domain/files/ directory, but then this doesn't work at all, nothing is password protected.
I'm not quite sure what I'm supposed to be doing here, I've read dozens of tutorials online, but none seem to help me beyond password protecting my entire root directory.
--
Can someone please explain to me how I can block multiple sub-directories only?
/domain/files/
/domain/software/
/domain/pictures/
etc...
Thanks!
--
Alternately, if anyone knows a better way to accomplish this, feel free to let me know.
There really is nothing to the authentication. You need to put the code in the .htaccess file in the sub-directory you want to protect. Also I would not put my password file in a publicly accessible location. Put it outside the root like in your home folder. So this code should go in your files folder.
# Password Protect Directories #
AuthName "You shall not pass!"
AuthType Basic
AuthUserFile /home/username/.htpasswd
require valid-user
# END Password Protect Directories #
Make sure apache can read your .htpasswd file and the correct ownership and permissions. Also try and clear your browser cache to test. I've seen that many times that it appears to not work until I clear the cache and then I get the prompt.
I'm totally new to XAMPP and I'm trying to set up the security for it as best as possible. I understand that it is beneficial to create an .htaccess file to password protect certain directories. There is a page/script that is built into xampp available at http://localhost/security/xamppsecurity.php that will generate one for you in the /htdocs/xampp directory. However, after I've gone and done this, I'm still not prompted for a password when I visit my site at http://localhost/xampp. I thought I should've been prompted for a username and password here? This is a difficult problem to search answers for so I apologize if this has been answered already.
I've made sure to close/re-open my browser and delete all history/cache/cookies. I also restarted the Apache service after creating the htaccess file.
the .htaccess file:
AuthName "xampp user"
AuthType Basic
AuthUserFile "C:\xampp\security\xampp.users"
require valid-user
C:\xampp\security\xampp.users is a valid file and it contains the username I setup and an encrypted password.
Try to copy your .htaccess file to the htdocs directory:
C:\xampp\htdocs\.htaccess
I hope it works ;)
Looks like .htaccess doesn't work on the htdocs\xampp directory.
I've created a .htpasswd file and .htaccess to password protect my localhost. I have put both in my mamp folder (where my website folders are). I have encrypted the password put in my htaccess :
AuthUserFile /WorkArea/mamp/
AuthType Basic
AuthName "localhost"
Require valid-user
It has locked me out of my localhost by giving me a 500 internal error.
The discussion above fed to this solution:
It is important to understand that .htaccess and .htpasswd files have to be plain text files to work. So the best way to create and manage them is to use a plain text editor. Using some kind of word processor (like OpenOffice-Word or similar) will save additional formatting information into those files. This will lead to the http server not being able to make sense of those files, thus throwing an error.
Also some side note: the .htpasswd file should not be placed alongside the documents pubished by the http server. This is a high security risk. So .htaccess and .htpasswd style files must be stored at completely separate locations, the first within, the second outside the area of the documents.
After hours of searching the web and trying dozens of unsuccessful solutions - here is my question.
I'm currently configuring a webserver on RHEL 6.4 and httpd 2.2.15 behind another RHEL 6.4 server using squid 3.1.10 and HTTPS only. I'm also using mod_rpaf to simplify logging and identification of visitors behind the proxy.
My problem is to configure a simple password protected folder. When I try to access the folder, the password dialog pops up with the configured AuthName. So I know that the .htaccess is being parsed. But the dialog does not accept the correct credentials and gives me an error 401.
I messed around with:
different permissions for .htaccess, .htpasswd and parent folders
different absolute locations for the .htpasswd
all activated Apache modules that are available on my system
different encryption algorithms for .htpasswd (crypt, md5, sha, salted sha...)
AllowOverride All on the protected and parent folder
But what I really do not understand that even if I put a wrong location for AuthUserFile there is no error message in Apaches error_log like the well known Permission denied: Could not open password file. Even on LogLevel debug Therefore I think that something is wrong with that Directive AuthUserFile.
I hope there is someone out there knowing better methods to identify the problem.
This is my simple .htaccess I'm using for testing:
AuthType Basic
AuthName "Test123"
#AuthUserFile /var/www/test/.htpasswd
AuthUserFile /notexisting
Require valid-user
Finally I got it to work!
I tracked the error down to the squid reverse proxy by using lynx on my webserver and successfully accessing the protected folder from there.
With my new focus on squid I started googling again. Already the first link took me to the correct answer: squid did not allow the apache to handle user authentication.
Resulution:
Add login=PASS to the cache_peer command in your squid.conf
I've just added an .htaccess and an .htpasswd to my web app and i'm now getting an error 500.
.htaccess :
AuthUserFile ./.htpasswd
AuthName "Password Protected Area"
AuthType Basic
<limit GET POST>
require valid-user
</limit>
.htpasswd
root:roe7nCYHcm0As
I've read on this web site that i had to enable "headers_module" and "rewrite_module" and then retart the server, which i did, but i'm still getting this error.
I'm using wampserver 2.2 (apache 2.4.2) on windows 7.
That's most probably because htaccess does not find your file's location.
If you use a relative path, then apache uses the server root which is /etc/apache2 in my case (ubuntu).
Just to be sure, click right on the password file and get the path and paste it to .htaccess. If it still not works, please copy and paste your error log here so that I can exactly see the error.
EDIT
I've seen your last comment now.
Some setups require that you store the encrypted version of the password. So for instance, instead of storing the password as
myuser:111
you should store like:
myuser:$apr1$E6YrxcHU$ilyC2mqfNSrQmle4KEAeq.
I don't have a Windows at hand right now so I cannot check it but earlier versions of Wamp had a password generator for .htpasswd under c:\wamp\Apache2\bin\htpasswd.exe. Try to check that program.
Otherwise, apache uses md5 by default to encrypt passwords. You can encrypt programmatically your password and then copy it to the password file.
I even blogged about this :)
Please let me know if it still doesn't work.
Actually it could well be that you have installed wamp into 'program files'
There are a few bits of Apache and PHP that dont like living in a folder structure that has a space in one of the folder names.
It is recommended that you install it to C:\wamp or D:\wamp or any drive you like but not one with a space in any folder name.