.htaccess keeps redirecting to 401 - apache

I've been trying to get this to work for an hour.
I'm protecting a directory with .htaccess and .htpasswd
AuthType Basic
AuthName "Access Denied: Please Enter the Correct Information to Continue"
AuthUserFile /actual/path/based/on/php/info/.htpasswd
require valid-user
Simple stuff. For some reason I'm getting a 401.shtml page instead of asking for login information.
I've tried disabling the other redirects
I'm pretty sure the path is correct
This works just fine on another site, just different web hosts.
Thanks.

Related

htaccess disabling require valid-user triggers 500 error

I have a development website in use before deploying to live.
The development website has a password with .htaccess and .htpasswd. The password login works fine.
For a particular functionality related to an external server having to access a page on the server, I got to disable the password temporarily for testing.
Normally this gets done by commenting out the "Require valid-user" line. For some strange reason, I get a 500 error if I comment out that line. This used to work fine in the past.
With password:
AuthType basic
AuthName "***"
Require valid-user
AuthUserFile "/usr/***/.htpasswd"
With password disabled:
AuthType basic
AuthName "***"
#Require valid-user
AuthUserFile "/usr/***/.htpasswd"
The # is the only difference. I also made sure that the file is not in UTF-8-BOM encoding, but stays in UTF-8 encoding. UTF-8-BOM also causes a 500 error.
Any ideas about how to solve this?

Apache basic auth with SetEnvIf bug

I have a problem with apache 2.4 .htaccess configuration. My config example:
SetEnvIf Request_URI ^(?i).*/admin(/.*)?$ require_auth=true
AuthType Basic
AuthName "Secure area"
AuthUserFile /xxx/.admin_htpasswd
Order Deny,Allow
Deny from all
Satisfy any
Require valid-user
Allow from env=!require_auth
The idea is to ask a password for requests to urls which contains "/admin" string. So if I go to www.mysite.com/admin the password is required and if I go to www.mysite.com/news the password is not required.
But there is a strange bug! If I start making multiple fast refreshes on url www.mysite.com/news (F5, F5, F5, F5, F5...) the basic auth window pops out and asks the password :( Why it is happening so?
The problem is resolved. mod_evasive after IP address block doesn't show 403 Forbidden but runs basic auth if it is configured in .htaccess file.

basic authentication error 500

I have this .htaccess
AuthType Basic
AuthName "Protected Area"
AuthUserFile /.htpasswds/.htpasswd
Require valid-user
And a .htpassword
test:$apr1$zXAu7nnl$612DeubGZ9jDrDPB1S8VO0
the directory structure is:
/.htpasswds/.htpasswd
/public_html/.htaccess
any attempt to login give me a 500 error. In cpanel the error is not registered in error log.
I don't know exactly what is the problem, but my host provider suggests this:
In cpanel
Section security
Option Web Protect
That will generate:
AuthType Basic
AuthName "Protected"
AuthUserFile "/home/abvnfj/.htpasswds/public_html/passwd"
require valid-user
if apache can not access .htpasswd, it generate Error 500.
in AuthUserFile write full path to .htpasswd file.
I've had a very similar problem with cPanel - and error 500 "internal error" upon entering the basic authentication credentials.
The problem seems to stem from cPanel putting the password file into a directory that the apache process could not access. Moving it to the root folder for the account (where the public_html directory is created) fixes the problem for me. The AuthUserFile entry in .htaccess must still point to the absolute pathname for the file, for example:
AuthUserFile "/home/myaccount/.passwd"
with the site root being in /home/myaccount/public_html/
Make sure you are using the correct absolute path in .htpaswd.
Example: for my bluehost I need
AuthUserFile /home7/<username>/public_html/...
While the FTP just gave me
/wwww/...
I had same error and I tested htpasswd with adding -p parameter which generates passwordfile as plaintext. The error was disappeared, but now I don't have any idea why default md5 passwords are causing this error.

How can I debug htpasswd access?

I have a site hosted on hostgator that I've set up with a directory to use htaccess/htpasswd for authentication. It's working fine but only for a user named test.
Here's the relevant htaccess
<filesMatch "(-priv)">
AuthType Basic
AuthName "Private Area"
AuthUserFile /home/username/public_html/site/test/.htpasswd
Require user test
</filesMatch>
and the htpasswd has 2 users
test:ovCvloB9kYgBQ
admin:RxvCRMqtdryys
I can log in using the test user but if I use any other name authentication fails. I can change the password for the test user and authentication reflects the change. The behavior is consistent across browsers and IPs.
Is there any way to debug this?
And before you say it, I know not to put the .htpasswd file above webroot, this is a test setup.
You have Require user test
Change to Require valid-user

Apache basic authentication SSL only

I've been given a setup in which Apache runs on Windows, and we have two folders that need basic authentication with .htpasswd.
First, I tested that the authentication worked:
AuthUserFile E:/path-to/.htpasswd
AuthType Basic
AuthName "Secure area"
Require valid-user
This worked nicely, but of course did not send the credentials over SSL. I tried using a RewriteRule to send any requests without HTTPS over to HTTPS in either of those folders, and this requires the user to login twice - once over HTTP and once over HTTPS.
I found tons of people with this issue, and the solution most folks use is like this:
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "www.domain.com"
AuthUserFile E:/path-to/.htpasswd
AuthName "Secure area"
AuthType basic
require valid-user
ErrorDocument 403 https://www.domain.com/secure-area
So I put this into an htaccess inside each of the two secure folders. This requires the user to login once, over HTTPS, as it should, but of course it does not send them to the file they have requested. Rather, it sends them to the root of the folder.
We often direct users to specific files inside these directories, and I just can't find anything that will authenticate them with basic auth over HTTPS when trying to do this. Is this possible on Apache?
Thanks,
Jonathan
If its for a particular file, you could wrap it in
<files *.php>
</files>
</pre></code>
or whatever, see if that makes a difference, as it'll be authenticating for a requested file rather than the directory that file is in?