.htaccess file ineffective at password protecting my xampp directory? - apache

I'm totally new to XAMPP and I'm trying to set up the security for it as best as possible. I understand that it is beneficial to create an .htaccess file to password protect certain directories. There is a page/script that is built into xampp available at http://localhost/security/xamppsecurity.php that will generate one for you in the /htdocs/xampp directory. However, after I've gone and done this, I'm still not prompted for a password when I visit my site at http://localhost/xampp. I thought I should've been prompted for a username and password here? This is a difficult problem to search answers for so I apologize if this has been answered already.
I've made sure to close/re-open my browser and delete all history/cache/cookies. I also restarted the Apache service after creating the htaccess file.
the .htaccess file:
AuthName "xampp user"
AuthType Basic
AuthUserFile "C:\xampp\security\xampp.users"
require valid-user
C:\xampp\security\xampp.users is a valid file and it contains the username I setup and an encrypted password.

Try to copy your .htaccess file to the htdocs directory:
C:\xampp\htdocs\.htaccess
I hope it works ;)
Looks like .htaccess doesn't work on the htdocs\xampp directory.

Related

Apache 2.4, Windows 10 and password protected directories

I've been trying to install password protection in a subdirectory of my Apache 2.4 (Windows 10) htdocs directory.
I started with an external .htaccess file and migrated to adding the data to a entyr in the httpd.conf file.
I place the .htpasswd file in the directory above htdocs (root?) and refer to the directory as '/.htaccess'. I ran Process Monitor (formerly from SysInternals) and know the .htpasswd and .htaccess files were being found and read.
I access the protected directory using three different addresses:127.0.0.1(localhost);192.168.0.101; and 'jimjulian.ddns.net'.
In each case, the password form pops up once, I fill out the form, get entry and close. In each case, I have access from then on, without the form.
I tried erasing the browser (Chrome) cache, but to no end.
Is there anything I've overlooked? Anything I can try?
.htaccess contents:
AuthType Basic
AuthName 'Area51'
AuthUserFile 'C:\Apache24\.htpasswd'
require valid-user
I wasn't sure what to do with the AllowOverride. Seemed to me, the default setting, None, would nullify the contents of the .htaccess
So I set that to All in the conf file
Two revelations solved the problem.
My dns updater for No-IP was not running.
Even though I cleared the browsing history and cache regularly, I didn't realize until just now, and after installing another browser for comparisons, that passwords and usernames were being held the length of the session. Once I closed the browser and reopened, and cleared the cache again, the password popup, popped up. Perhaps this will benefit someone.

htpasswd outsite the public html not accessible

On the webserver I use, I have multiple sites (subdomains). Some of these have an admin folder for quick edits for each site. In the admin folder I placed a .htaccess file, restricting access to it.
I have placed a htpasswd file outside the public_html folder(because that's what I read, I should), each password file, in a new directory.
So my folder/file structure so far:
/server/public_html/domain.com
/server/public_html/domain.com/admin/.htaccess
/server/domain_password/.htpasswd
The content of the .htaccess file, inside the admin folder:
#Block_External_Access
AuthType Basic
AuthName 'My Protected Area'
AuthUserFile /server/domain_password/.htpasswd
Require valid-user
The problem is, that in this case I get a big fat 500 server error. Looks like it cannot read the password file after all. If I move my htpasswd down to the domain folder, or the admin folder, and update the htaccess file correspondingly, it works.
Is there any setting somewhere, where prohibits my expected behaviour, or I'm missing something else?
Apparently, because the folder creation was automated, it gave the folder a permission of 600. Which was a bad decision. :D

Blocking a sub directory with .htaccess file in Apache

Disclaimer: I have little to no knowledge of Apache, all the information posted here was pieced together from Google search results only, within 1 night.
--
I can't seem to get .htaccess to block only the sub-directories of my domain, could someone please help me?
My root domain: http://domain.com (/home/username/domain/)
The directory I'm trying to block is /home/username/domain/files/
In the /domain/ directory, I have modified the .htaccess file accordingly:
# Password Protect Directories #
AuthName "You shall not pass!"
AuthType Basic
AuthUserFile /home/username/domain/files.htpasswd
require valid-user
# END Password Protect Directories #
The problem is, this seems to password protect my root directory as well as the sub-directory specified.
--
I've tried moving this .htaccess file entry into a separate .htaccess file in the /domain/files/ directory, but then this doesn't work at all, nothing is password protected.
I'm not quite sure what I'm supposed to be doing here, I've read dozens of tutorials online, but none seem to help me beyond password protecting my entire root directory.
--
Can someone please explain to me how I can block multiple sub-directories only?
/domain/files/
/domain/software/
/domain/pictures/
etc...
Thanks!
--
Alternately, if anyone knows a better way to accomplish this, feel free to let me know.
There really is nothing to the authentication. You need to put the code in the .htaccess file in the sub-directory you want to protect. Also I would not put my password file in a publicly accessible location. Put it outside the root like in your home folder. So this code should go in your files folder.
# Password Protect Directories #
AuthName "You shall not pass!"
AuthType Basic
AuthUserFile /home/username/.htpasswd
require valid-user
# END Password Protect Directories #
Make sure apache can read your .htpasswd file and the correct ownership and permissions. Also try and clear your browser cache to test. I've seen that many times that it appears to not work until I clear the cache and then I get the prompt.

.htaccess Password protection keeps asking for password over and over

I've placed this code in the .htaccess file of the folder I want to protect:
AuthName "restricted area"
AuthType Basic
AuthUserFile /home/#/#/#/#/#/.htpasswd
require valid-user
In the same folder, I placed this .htpasswd:
my:pass
When I go to the URL of the protected folder, the browser keeps asking me for a password over and over, even though I'm typing the correct one.
I know that the root directory mentioned in AuthUserFile is ok because I've found it out with:
<?php
$dir = dirname(__FILE__);
echo "<p>Full path to a .htpasswd file in this dir: " .
$dir . "/.htpasswd" . "</p>";
?>
Where's the problem?
Just add "user" in between require valid-user
For example:
Require user markpanado
But not:
Require markpanado
the problem, so i found for my website, is that the htpasswd file path is not the same as the path provided in the htaccess. I spent weeks trying to find where the problem was, but although you create usernames and passes using the htpasswrd the file is not communicating with the secure folder. You will need to find out why. maybe a spelling mistake or as in my case, the htpasswd was being saved in a completely different folder, and i had 2 htpasswrd in different folders. the two need to communicate htacccess and htpasswrd, hope this saves you time I figured it out after weeks of sleepless nights.
I have just come across this problem. After trying to figure it out for the last couple of days I have found out the source of the problem:
This prompt gets triggered when using AuthType Basic and whenever a 401 message is sent from the website.
Is it possible that you had a 401 HTTP status code message being sent from the server at each request? You can check your developer console to find out.

WAMP Server 2.2 - .htaccess -> Internal error (500)

I've just added an .htaccess and an .htpasswd to my web app and i'm now getting an error 500.
.htaccess :
AuthUserFile ./.htpasswd
AuthName "Password Protected Area"
AuthType Basic
<limit GET POST>
require valid-user
</limit>
.htpasswd
root:roe7nCYHcm0As
I've read on this web site that i had to enable "headers_module" and "rewrite_module" and then retart the server, which i did, but i'm still getting this error.
I'm using wampserver 2.2 (apache 2.4.2) on windows 7.
That's most probably because htaccess does not find your file's location.
If you use a relative path, then apache uses the server root which is /etc/apache2 in my case (ubuntu).
Just to be sure, click right on the password file and get the path and paste it to .htaccess. If it still not works, please copy and paste your error log here so that I can exactly see the error.
EDIT
I've seen your last comment now.
Some setups require that you store the encrypted version of the password. So for instance, instead of storing the password as
myuser:111
you should store like:
myuser:$apr1$E6YrxcHU$ilyC2mqfNSrQmle4KEAeq.
I don't have a Windows at hand right now so I cannot check it but earlier versions of Wamp had a password generator for .htpasswd under c:\wamp\Apache2\bin\htpasswd.exe. Try to check that program.
Otherwise, apache uses md5 by default to encrypt passwords. You can encrypt programmatically your password and then copy it to the password file.
I even blogged about this :)
Please let me know if it still doesn't work.
Actually it could well be that you have installed wamp into 'program files'
There are a few bits of Apache and PHP that dont like living in a folder structure that has a space in one of the folder names.
It is recommended that you install it to C:\wamp or D:\wamp or any drive you like but not one with a space in any folder name.