Override .htaccess filesmatch password protection in subdirectory - apache

My goal is similar to the question asked here:
How to remove .htaccess password protection from a subdirectory
a .htaccess file protects all index.html files in subdirectories. I want to exclude a particular subdirectory from this rule.
However, even though I created the .htaccess file in said subdirectiory with the following content:
Require all granted
I am still requested for authentication from a .htaccess file at the higher directory:
DirectoryIndex index.html
<FilesMatch "index.html">
AuthUserFile /etc/users
AuthName "Protected"
AuthGroupFile /dev/null
AuthType Basic
Require valid-user
</FilesMatch>
How can I override this FilesMatch block in a sub directory so the login is not requested? In my apache configuration file:
<Directory />
Options FollowSymLinks
AllowOverride All
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride All
Require all granted
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
I do have AllowOverride set properly. What am I doing wrong?

In your subdirectory/.htaccess have these 2 lines to prevent auth:
Satisfy Any
Allow from all

Related

AuthType not allowed / What to change in apache2.conf to allow .htaccess

I've tried to add a .htaccess (with Basic authentication) but I get a 500 internal server error and the logs says: /var/www/html/pgr/.htaccess: AuthType not allowed here
So it's pretty clear whats the problem but I don't know how to fix it in the apache2.conf
I think this is the relevant part (copied from my conf). I already tried to set AllowOverride to AuthConfig and of course restarted the apache2 server but it still doesn't work. Can someone tell me what I still have to change?
<Directory />
Options FollowSymLinks
AllowOverride AuthConfig
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride AuthConfig
Require all granted
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride AuthConfig
Require all granted
</Directory>
#<Directory /srv/>
# Options Indexes FollowSymLinks
# AllowOverride None
# Require all granted
#</Directory>
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives. See also the AllowOverride
# directive.
#
AccessFileName .htaccess
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
Require all denied

Override subdirectory access for a certain user with htaccess

My Website is locked with htaccess in the apache2.conf, so you can only access it with user and password.
Now I want a subdirectory beeing only accessible for a certain user
<Directory /var/www/>
Options Indexes FollowSymLinks
AuthType Basic
AuthName "Access denied"
AllowOverride All
AuthBasicProvider file
AuthUserFile /home/pi/.htpasswd
Require valid-user
</Directory>
<Directory /var/www/html/MySite/MySubDirectory>
AllowOverride none
Require user alloweduser
</Directory>
What am I missing?

Apache basic authentication prompt not showing

I'm trying to setup very basic username/password protection for my site using apache v2.4.7. I have the following in my sites conf file:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
DocumentRoot /var/my.site
DirectoryIndex index.html
<Directory /var/my.site>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Allow from all
Options +ExecCGI
AddHandler cgi-script .pl
Require all granted
AuthType Basic
AuthName "Authentication Required"
AuthUserFile "/etc/my-site/.htpasswd"
Require valid-user
</Directory>
...
...but it's serving all requests without any auth challenges. I've also tried putting the auth options into their own separate <Location> block, but it's the same. I haven't explicitly enabled any additional auth mods myself, but I've checked auth_basic, authn_core, authn_file and authz_user mods and they're all enabled.

.htaccess not working at all

I've got a file accessible through my web website by typing http://www.mywebsite.com/myfile and the server run on debian.
I'd like to put an authentication with a .htaccess and .htpasswd when trying to access to previous url.
I'm quite new to .htaccess and I tried to configure it with the doc but it doesn't seems to work since when i try nothing change and when i check the error log I've got :
[error] [client IP] client denied by server configuration:
/home/file1/myfile/www/.htaccess
The content of my .htaccess is :
<Directory /home/file1/myfile/www/>
AuthUserFile /home/file1/myfile/.htpasswd
AuthGroupFile /dev/null
AuthName "My authentication"
AuthType Basic
Require valid-user
Otions Indexes FollowSymLinks Multiviews
AllowOverride All
Order allow,deny
allow from all
Redirect permanent /.htaccess http://www.mywebsite.com/myfile
ServerSignature Off
</Directory>
How may I solve this problem please ?
You can't use a <Directory> container in an htaccess file. Remove them so you just have:
AuthUserFile /home/file1/myfile/.htpasswd
AuthGroupFile /dev/null
AuthName "My authentication"
AuthType Basic
Require valid-user
Options Indexes FollowSymLinks Multiviews
AllowOverride All
Order deny,allow
deny from all
Redirect permanent /.htaccess http://www.mywebsite.com/myfile
ServerSignature Off
(you have Otions mispelled)
Also, by looking at your error, it looks as if you were trying to access the htaccess file directly, instead of myfile. It's possible there's extra configuration on the server to deny accessing htaccess files (or all files that start with a .).
It seems that deleting et creating again the user is enough to fix the FTP connexion problem.
I've modified my global apache configuration with the following :
DirectoryIndex index.html index.htm index.xhtml index.php index.txt
ServerName debian.domain.tld
#ServerName localhost
HostnameLookups Off
ServerAdmin myadressemail
UserDir www
UserDir disable root
<Directory />
Options -Indexes FollowSymLinks
AllowOverride All
</Directory>
ServerSignature Off
An now my .htaccess is :
AuthUserFile /home/file1/myfile/.htpasswd
AuthGroupFile /dev/null
AuthName "My authentification"
AuthType Basic
Require user user1
But I still have got no authentication asked, what did I do wrong ?

Apache: One setting for multiple directories

I'd like to protect multiple directories with mod_digest with one settings.
Currently I have this /etc/apache2/conf.a/mod-digest_realm-protected.conf
AuthType Digest
AuthName "protected"
AuthDigestDomain /adminer/ /school-project/
AuthDigestNonceLifetime 300
AuthDigestProvider file
AuthUserFile /etc/apache2/.digest
Require valid-user
and this in /etc/apache/sites-available/default
<Directory /var/www/adminer/>
Include /etc/apache2/conf.a/mod-digest_realm-protected.conf
</Directory>
<Directory /var/www/school-project/>
Include /etc/apache2/conf.a/mod-digest_realm-protected.conf
</Directory>
Is there a way to have this setting in a single config file? I tried something like this
<Directory /var/www/(adminer/school-project)/>
... auth_digest settings
</Directory>
but it doesn't work.
try this
<Directory /var/www/>
... auth_digest settings
</Directory>
Regex can be used with Directory directive.
http://httpd.apache.org/docs/current/en/mod/core.html#directory
If you just want to protect some of them, I think this should work.
<Directory ~ "(adminer|school-project)"/>
... auth_digest settings
</Directory>
DirectoryMatch also works
<DirectoryMatch ^/var/www/(adminer|school-project)>
...
</DirectoryMatch>