htpasswd outsite the public html not accessible - apache

On the webserver I use, I have multiple sites (subdomains). Some of these have an admin folder for quick edits for each site. In the admin folder I placed a .htaccess file, restricting access to it.
I have placed a htpasswd file outside the public_html folder(because that's what I read, I should), each password file, in a new directory.
So my folder/file structure so far:
/server/public_html/domain.com
/server/public_html/domain.com/admin/.htaccess
/server/domain_password/.htpasswd
The content of the .htaccess file, inside the admin folder:
#Block_External_Access
AuthType Basic
AuthName 'My Protected Area'
AuthUserFile /server/domain_password/.htpasswd
Require valid-user
The problem is, that in this case I get a big fat 500 server error. Looks like it cannot read the password file after all. If I move my htpasswd down to the domain folder, or the admin folder, and update the htaccess file correspondingly, it works.
Is there any setting somewhere, where prohibits my expected behaviour, or I'm missing something else?

Apparently, because the folder creation was automated, it gave the folder a permission of 600. Which was a bad decision. :D

Related

How do I lock a folder with htaccess file?

I am trying to lock a folder on my site with htaccess file
I created a htaccess file in the root and I created a htpasswd file inside the folder I want to lock
But the problem is that it does not work and I am banned from entering the entire site until I delete the "Require valid-user" from the .htaccess file in order to allow me to enter the site.
htaccess file
ErrorDocument 404 /404.html
#Protect Directory
AuthName "Dialog prompt"
AuthType Basic
AuthUserFile /fares/.htpasswd
Require valid-user
htpasswd file
fares:djefaflia
It does not work on the local server or on the hosting
AuthUserFile /fares/.htpasswd
The file-path provided to AuthUserFile should be an absolute filesystem path, not a root-relative URL-path (ie. relative to the document root) which is what this looks like.
The "absolute filesystem path" is the full file-path to the .htpasswd file on the server. For example, if the server path to your document root directory (where your HTML files are located) is /home/user/public_html and you are wanting to protect the directory /fares within your document root and you are storing the .htpasswd file inside that directory (although that is not recommended - see below) then the AuthUserFile directive should be like the following instead:
AuthUserFile /home/user/public_html/fares/.htpasswd
However, you should avoid storing the password file in the same directory you are protecting (for security reasons). Ideally, this file would be stored outside of the document root (ie. outside of the public HTML space). For example, you could mirror the file structure in a htpasswds directory above the document root in which you store all the relevant .htpasswd files on your system:
AuthUserFile /home/user/htpasswds/fares/.htpasswd
fares:djefaflia
As written, this does not "look" correct (unless you are intentionally trying to store plain text passwords - which won't work on Linux). How are you generating the password file? You should be using a tool like htpasswd.exe (that comes with Apache), or something similar that generates a hash of the password. For example, it should look more like this:
fares:$apr1$6Szn.sq3$7E6ZMJLBAZKWX.wmGRISu1

.htaccess password protection not working with domain on a folder

I have 2 domains mapped to the same server.
- Domain-A is mapped to public_html directory
- Domain-B is mapped to public_html/domainb directory
When I set a .htaccess user/password for directories that I access via the first domain (e.g. domain-a.com/wp-admin) everything works like a charm.
But when I try to set the same for directories that I access from the domain-b, I got a ERR_TOO_MANY_REDIRECTS error.
Below .htaccess code. Note that the very same code works on folders of the domain-a but not on domain-b:
AuthType Basic
AuthName "myuseradmin"
AuthUserFile "/home3/desempac/.htpasswds/public_html/domainb/wp-admin/passwd"
require valid-user
Any thoughts?
change the following line in your code accordingly :
AuthUserFile /path/to/password/file/.htpasswd
Make sure you located the .htpasswd file inside the folder that you want to protect it

Blocking a sub directory with .htaccess file in Apache

Disclaimer: I have little to no knowledge of Apache, all the information posted here was pieced together from Google search results only, within 1 night.
--
I can't seem to get .htaccess to block only the sub-directories of my domain, could someone please help me?
My root domain: http://domain.com (/home/username/domain/)
The directory I'm trying to block is /home/username/domain/files/
In the /domain/ directory, I have modified the .htaccess file accordingly:
# Password Protect Directories #
AuthName "You shall not pass!"
AuthType Basic
AuthUserFile /home/username/domain/files.htpasswd
require valid-user
# END Password Protect Directories #
The problem is, this seems to password protect my root directory as well as the sub-directory specified.
--
I've tried moving this .htaccess file entry into a separate .htaccess file in the /domain/files/ directory, but then this doesn't work at all, nothing is password protected.
I'm not quite sure what I'm supposed to be doing here, I've read dozens of tutorials online, but none seem to help me beyond password protecting my entire root directory.
--
Can someone please explain to me how I can block multiple sub-directories only?
/domain/files/
/domain/software/
/domain/pictures/
etc...
Thanks!
--
Alternately, if anyone knows a better way to accomplish this, feel free to let me know.
There really is nothing to the authentication. You need to put the code in the .htaccess file in the sub-directory you want to protect. Also I would not put my password file in a publicly accessible location. Put it outside the root like in your home folder. So this code should go in your files folder.
# Password Protect Directories #
AuthName "You shall not pass!"
AuthType Basic
AuthUserFile /home/username/.htpasswd
require valid-user
# END Password Protect Directories #
Make sure apache can read your .htpasswd file and the correct ownership and permissions. Also try and clear your browser cache to test. I've seen that many times that it appears to not work until I clear the cache and then I get the prompt.

.htaccess file ineffective at password protecting my xampp directory?

I'm totally new to XAMPP and I'm trying to set up the security for it as best as possible. I understand that it is beneficial to create an .htaccess file to password protect certain directories. There is a page/script that is built into xampp available at http://localhost/security/xamppsecurity.php that will generate one for you in the /htdocs/xampp directory. However, after I've gone and done this, I'm still not prompted for a password when I visit my site at http://localhost/xampp. I thought I should've been prompted for a username and password here? This is a difficult problem to search answers for so I apologize if this has been answered already.
I've made sure to close/re-open my browser and delete all history/cache/cookies. I also restarted the Apache service after creating the htaccess file.
the .htaccess file:
AuthName "xampp user"
AuthType Basic
AuthUserFile "C:\xampp\security\xampp.users"
require valid-user
C:\xampp\security\xampp.users is a valid file and it contains the username I setup and an encrypted password.
Try to copy your .htaccess file to the htdocs directory:
C:\xampp\htdocs\.htaccess
I hope it works ;)
Looks like .htaccess doesn't work on the htdocs\xampp directory.

Password protecting mamp:localhost

I've created a .htpasswd file and .htaccess to password protect my localhost. I have put both in my mamp folder (where my website folders are). I have encrypted the password put in my htaccess :
AuthUserFile /WorkArea/mamp/
AuthType Basic
AuthName "localhost"
Require valid-user
It has locked me out of my localhost by giving me a 500 internal error.
The discussion above fed to this solution:
It is important to understand that .htaccess and .htpasswd files have to be plain text files to work. So the best way to create and manage them is to use a plain text editor. Using some kind of word processor (like OpenOffice-Word or similar) will save additional formatting information into those files. This will lead to the http server not being able to make sense of those files, thus throwing an error.
Also some side note: the .htpasswd file should not be placed alongside the documents pubished by the http server. This is a high security risk. So .htaccess and .htpasswd style files must be stored at completely separate locations, the first within, the second outside the area of the documents.