I have a site hosted on hostgator that I've set up with a directory to use htaccess/htpasswd for authentication. It's working fine but only for a user named test.
Here's the relevant htaccess
<filesMatch "(-priv)">
AuthType Basic
AuthName "Private Area"
AuthUserFile /home/username/public_html/site/test/.htpasswd
Require user test
</filesMatch>
and the htpasswd has 2 users
test:ovCvloB9kYgBQ
admin:RxvCRMqtdryys
I can log in using the test user but if I use any other name authentication fails. I can change the password for the test user and authentication reflects the change. The behavior is consistent across browsers and IPs.
Is there any way to debug this?
And before you say it, I know not to put the .htpasswd file above webroot, this is a test setup.
You have Require user test
Change to Require valid-user
Related
I have a host where authenticated users need to be in a certain ldap group. This worked perfectly. Afterwards I needed an external user that I put locally in a file and this one doesn't work.
When I comment out all the ldap lines that user works, so the file is created correctly and accessible by Apache 2.2, but when I add ldap, everything work for the ldap users but not for the file user.
When I try to log in with the local in file user with a bad password I get the log in pop-up again, as usual, but when I insert the correct credentials I get "Authorization Required
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required."
Below is my set upon Apache 2.2
<Location "/">
Deny from all
AuthType Basic
AuthName "My Auth"
AuthBasicProvider ldap file
AuthLDAPURL LDAP_URL
AuthUserFile "path/to/pass/file"
Require user file_user
Require ldap-group cn=LDAP Group,cn=Groups,dc=DC,dc=org
Require ldap-user ldap_user_outside_group
Satisfy any
</Location>
You likely need AuthzLDAPAuthoritative to allow the failure to match the ldap-based Require directives to not be fatal. This kind of directive was made obsolete in later releases by internal improvements in 2.4.
I'm trying to build and test a "m." subdomain for a website I'm working on. "m.domain.com" is simply a cname for "domain.com" and will be used to set a server-side boolean so the mobile version of the site will serve exactly the same pages, just with different css and scripts.
While I'm testing, I want to require a password for all requests made to m.domain.com. I've tried several .htaccess variants on environment variable solutions, and this is what I have right now:
SetEnvIfNoCase Host m\.domain\.com is_mobile
AuthType basic
AuthName "Mobile site"
AuthUserFile ".htpasswd"
Require valid-user
Order allow,deny
Allow from all
Deny from env=is_mobile
Satisfy any
With this code, "domain.com" and "www.domain.com" display normally. "m.domain.com" prompts for a password as expected. However, once it's entered, the server returns a 500 error on any request.
Well, turns out that a little inversion and reordering did the trick.
SetEnvIfNoCase Host ^(www\.)domain\.com$ not_mobile
AuthType basic
AuthName "Mobile site"
AuthUserFile ".htpasswd"
Order deny,allow
Deny from all
Allow from env=not_mobile
Require valid-user
Satisfy any
I'm still curious to know why the other configuration created the 500 error, though, especially since it only occurred for the subdomain I wanted password protected.
I've been given a setup in which Apache runs on Windows, and we have two folders that need basic authentication with .htpasswd.
First, I tested that the authentication worked:
AuthUserFile E:/path-to/.htpasswd
AuthType Basic
AuthName "Secure area"
Require valid-user
This worked nicely, but of course did not send the credentials over SSL. I tried using a RewriteRule to send any requests without HTTPS over to HTTPS in either of those folders, and this requires the user to login twice - once over HTTP and once over HTTPS.
I found tons of people with this issue, and the solution most folks use is like this:
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "www.domain.com"
AuthUserFile E:/path-to/.htpasswd
AuthName "Secure area"
AuthType basic
require valid-user
ErrorDocument 403 https://www.domain.com/secure-area
So I put this into an htaccess inside each of the two secure folders. This requires the user to login once, over HTTPS, as it should, but of course it does not send them to the file they have requested. Rather, it sends them to the root of the folder.
We often direct users to specific files inside these directories, and I just can't find anything that will authenticate them with basic auth over HTTPS when trying to do this. Is this possible on Apache?
Thanks,
Jonathan
If its for a particular file, you could wrap it in
<files *.php>
</files>
</pre></code>
or whatever, see if that makes a difference, as it'll be authenticating for a requested file rather than the directory that file is in?
Say I have a htaccess file shared by "dev.server" and "server.site.com".
The first domain should allow all users to access it unchallenged (it only exists on my local development server).
The second domain I want to authenticate users with Apache (NOT by database).
The code to authenticate users is:
AuthType Basic
AuthName "Server Admin"
AuthUserFile "/path/to/passwd"
require valid-user
What I can't do is make those 4 lines only matter if the domain is "server.site.com". How can I do this?
I searched for something like <IfEnv HTTP_HOST "site.server.com"> but had no luck.
This appears to work, still need to do some testing on it though.
Order Deny,Allow
Deny from all
SetEnvIf Host domain.for.no.auth dev
Allow from env=dev
AuthUserFile .pwd
AuthType Basic
AuthName MySite
Require valid-user
Satisfy Any
As far as I know, this can't be done in a .htaccess file. You'd have to put this into a Directory or VirtualHost section, both of which can't be used in a .htaccess file.
You would have to define it in two separate files, or directly in the server's configuration in the VirtualHost section.
I have managed to get authentication at least partly set up but am mystified as to why security isn't working...
In my httpd.conf file for ssl I have....
<Directory /usr/local/apache2.2/cgi-bin/oia>
SSLRequireSSL
Satisfy All
AuthType basic
AuthName "Protected Intranet Area"
AuthUserFile conf/.passwd
AuthGroupFile conf/groups
Require valid-user
</Directory>
I do have the user password in the setup and when accessing the page via https://....../cgi-bin/oia, it does correctly prompt me for the user name and password. Problem is if I use the same URL with http:// there's no prompting for a user name or password.
Any advice is greatly appreciated.
Nikki
You could set up a mod_rewrite rule to always forward the http://x.y.com to https://x.y.com (which is probably what you want to do anyway)