.htaccess doesn't work correctly - apache

I have a problem with .htaccess, my file looks like:
AuthUserFile "/home/user/.htpasswds/public_html/user/passwd"
AuthName "Lock"
AuthType Basic
require valid-user
And when somebody want to download file for example *.doc from this protect directories, login and password is required, but when somebody wants to download file *.pdf, password and login is not required. I don't know why login and password isn't check when someone is downloading pdf file?
I want allow downloading all kinds of files only for people who has a login and password.

Related

.htaccess produces permission denied despite correct password

I set up a .htaccess-file to protect a folder which is in the webroot. Let's call the folder /protected.
I placed the .htaccess and the .htusers file in this very folder (/protected). When I try to login into the folder using the correct login credentials I still get 403.
Here is the .htaccess file:
AuthType Basic
AuthName "Service-Bereich"
AuthBasicProvider file
AuthUserFile [FULL_PATH]/.htusers
Require valid-user
.htusers
mary:$afr1$oqJDM12K$iT9QWY4ETerG0LUtRzw8C.
(For security reasons: user data is not real! It is a mockup)
Thank you in advance.
I finally managed to get it working. I left out the AuthBasicProvider file directive and put a file into the directory. However, I would still be interested in getting it to work without placing a file into the directory. :)
Thank you for all who tried to help me solving the issue.

How to protect a webpage with a password?

I have a web app with a setting page that I would like to protect with a password so that unless the password is correctly entered the user cannot change any of the settings.
To add a password for a page on your website, you’ll need to modify the .htaccess and .htpasswd files on the server. Take a look at this link for the full details.
Basically you need to do these two things:
Modify (or add) the special text file on your server called .htpasswd, to contain the username and encrypted password separated by a colon on a separate line.
If you have SSH access, this can be done automatically using the htpasswd utility:
htpasswd -c .htpasswd ben
Otherwise you can modify/create the file manually, and handcraft the username/password using an online password encryptor. The linked-to site suggests these three:
4WebHelp's online .htpasswd encryption tool
Alterlinks .htaccess password generator
htmlite's htpasswd encryption page
As an example, for a username of ben and a password of password12345 you would use this line:
ben:51CbcBM13fOMo
Modify (or add) the special text file called .htaccess, in the folder where the settings page you want to protect resides, to contain the following:
AuthUserFile /full/path/to/.htpasswd
AuthType Basic
AuthName "Protected Settings Page"
<Files "mySettingsPage.html">
Require valid-user
</Files>
Of course, /full/path/to/.htpasswd should be replaced with the full path to where the .htpasswd file resides on your server.
Likewise, replace mySettingsPage.html with your own settings page name.
Note that the AuthName string can be changed to suit.

Is there an equivalent setting in Apache (on a UNIX box) to prompt user login to view a site as Windows Authentication does in IIS?

I have been requested to setup a test site written in php, on a unix box. I have been given the site files and it is loading fine but I need to close it off from anonymous access. Is there a setting in Apache server that allows this to be done in the same way that Windows Authentication would in IIS. I understand that a login page could be added to the site but I am not a php developer and wanted to take advantage of existing functionality if it's there.
Thanks.
A simple solution would be to add an .htaccess file with something like this in your webroot:
AuthUserFile /<path>/.htpasswd
AuthType Basic
AuthName "Your Auth Name"
Require valid-user
Then you would need to add a .htpasswd file with your login credentials.
To add a .htpasswd file you could open your terminal and execute the following command:
htpasswd -c -b .htpasswd username password
The above will create a file name .htpasswd with username/password as login in the current directory.
Reference: Password Protection with .htaccess & .htpasswd

.htaccess file ineffective at password protecting my xampp directory?

I'm totally new to XAMPP and I'm trying to set up the security for it as best as possible. I understand that it is beneficial to create an .htaccess file to password protect certain directories. There is a page/script that is built into xampp available at http://localhost/security/xamppsecurity.php that will generate one for you in the /htdocs/xampp directory. However, after I've gone and done this, I'm still not prompted for a password when I visit my site at http://localhost/xampp. I thought I should've been prompted for a username and password here? This is a difficult problem to search answers for so I apologize if this has been answered already.
I've made sure to close/re-open my browser and delete all history/cache/cookies. I also restarted the Apache service after creating the htaccess file.
the .htaccess file:
AuthName "xampp user"
AuthType Basic
AuthUserFile "C:\xampp\security\xampp.users"
require valid-user
C:\xampp\security\xampp.users is a valid file and it contains the username I setup and an encrypted password.
Try to copy your .htaccess file to the htdocs directory:
C:\xampp\htdocs\.htaccess
I hope it works ;)
Looks like .htaccess doesn't work on the htdocs\xampp directory.

.htaccess and .htpasswd to prevent access to folder problem

I have a website admin area I want to protect with a password..
so inside the admin folder I put an .htaccess and .htpasswd files containing this:
.htaccess:
AuthUserFile C:/wamp/www/website_project/admin/.htpasswd
AuthName "Restricted Area"
AuthType Basic
Require valid-user
.htpasswd: (generated using an online tool)
admin:sOSDxAdJI4xx2
When I go to the admin folder, a popup is shown where I need to insert username and password... so until now its working fine, BUT no matter if I insert a correct password or not I get the same popup again when I hit 'enter', I can never access the folder...
Any suggestions?
Based on the AuthUserFile line, it looks like you're using Apache on Windows, which has a different default password encryption algorithm than other platforms. Try using the htpasswd command-line tool to generate the password and see if you still have the same problem.