better way to debug XAMPP authentication issue - apache

I've been working with a simple authentication process on localhost, here is the .htaccess file:
AuthType Basic
AuthName "Admin login page"
AuthUserFile /Application/XAMPP/htdocs/.htpasswd
AuthGroupFile /dev/null
Require User admin#coastalbooks.com.au
I have created the related .htpasswd file, the browser can prompt for me to enter the username and password.
However, when I tried to access the protected index.html, after entering the credentials, Firefox only got me a http 500 error.
Tried to use Firebug and curl to inspect the response, only to see the 500 status code, nothing else could give me a clearer idea of what went wrong.
Also check the access.log under XAMPP's Apache logs folder, still just got 500 errors without detailed feedback.
Any thoughts? What would you use to debug in such a case?
Many thanks in advance!
Edited:
Tried to add another new user to the .htpasswd file, but still cannot get rid of the http 500 error.

The access.log file will only show you info about the requests, not errors. Look for error.log or error_log (or something similar) in the same folder.
If it's not in the same folder, check your virtual host definition and httpd.conf files to see where the error log is stored.

Related

Password protecting with Htaccess results in Error 500

I have a website hosted with nearlyfreespeech (saying it here so maybe someone who has a website hosted there can help.)
I have two files:
.htaccess
AuthType Basic
AuthName 'Reserved Area'
AuthUserFile /home/public/money/downloads/plugins/.htpasswd
Require valid-user
.htpasswd
I am not including anything here, as it's irrelevant.
The problem might be with the directory(?)
Also nearlyfreespeech's dashboard gives me those two things -- Don't know if they can be of any help.
Apache Site Root /fs7d/privacy/
Apache Document Root /fs7d/privacy/public/
The problem as you read from the title is "error 500".
I looked at the server logs and found out that the problem was actually the directory, now, question is, how do I find the proper directory to fix this error?
Thanks

.htaccess Password protection keeps asking for password over and over

I've placed this code in the .htaccess file of the folder I want to protect:
AuthName "restricted area"
AuthType Basic
AuthUserFile /home/#/#/#/#/#/.htpasswd
require valid-user
In the same folder, I placed this .htpasswd:
my:pass
When I go to the URL of the protected folder, the browser keeps asking me for a password over and over, even though I'm typing the correct one.
I know that the root directory mentioned in AuthUserFile is ok because I've found it out with:
<?php
$dir = dirname(__FILE__);
echo "<p>Full path to a .htpasswd file in this dir: " .
$dir . "/.htpasswd" . "</p>";
?>
Where's the problem?
Just add "user" in between require valid-user
For example:
Require user markpanado
But not:
Require markpanado
the problem, so i found for my website, is that the htpasswd file path is not the same as the path provided in the htaccess. I spent weeks trying to find where the problem was, but although you create usernames and passes using the htpasswrd the file is not communicating with the secure folder. You will need to find out why. maybe a spelling mistake or as in my case, the htpasswd was being saved in a completely different folder, and i had 2 htpasswrd in different folders. the two need to communicate htacccess and htpasswrd, hope this saves you time I figured it out after weeks of sleepless nights.
I have just come across this problem. After trying to figure it out for the last couple of days I have found out the source of the problem:
This prompt gets triggered when using AuthType Basic and whenever a 401 message is sent from the website.
Is it possible that you had a 401 HTTP status code message being sent from the server at each request? You can check your developer console to find out.

.htaccess AuthUserFile has no effect or is being ignored

After hours of searching the web and trying dozens of unsuccessful solutions - here is my question.
I'm currently configuring a webserver on RHEL 6.4 and httpd 2.2.15 behind another RHEL 6.4 server using squid 3.1.10 and HTTPS only. I'm also using mod_rpaf to simplify logging and identification of visitors behind the proxy.
My problem is to configure a simple password protected folder. When I try to access the folder, the password dialog pops up with the configured AuthName. So I know that the .htaccess is being parsed. But the dialog does not accept the correct credentials and gives me an error 401.
I messed around with:
different permissions for .htaccess, .htpasswd and parent folders
different absolute locations for the .htpasswd
all activated Apache modules that are available on my system
different encryption algorithms for .htpasswd (crypt, md5, sha, salted sha...)
AllowOverride All on the protected and parent folder
But what I really do not understand that even if I put a wrong location for AuthUserFile there is no error message in Apaches error_log like the well known Permission denied: Could not open password file. Even on LogLevel debug Therefore I think that something is wrong with that Directive AuthUserFile.
I hope there is someone out there knowing better methods to identify the problem.
This is my simple .htaccess I'm using for testing:
AuthType Basic
AuthName "Test123"
#AuthUserFile /var/www/test/.htpasswd
AuthUserFile /notexisting
Require valid-user
Finally I got it to work!
I tracked the error down to the squid reverse proxy by using lynx on my webserver and successfully accessing the protected folder from there.
With my new focus on squid I started googling again. Already the first link took me to the correct answer: squid did not allow the apache to handle user authentication.
Resulution:
Add login=PASS to the cache_peer command in your squid.conf

WAMP Server 2.2 - .htaccess -> Internal error (500)

I've just added an .htaccess and an .htpasswd to my web app and i'm now getting an error 500.
.htaccess :
AuthUserFile ./.htpasswd
AuthName "Password Protected Area"
AuthType Basic
<limit GET POST>
require valid-user
</limit>
.htpasswd
root:roe7nCYHcm0As
I've read on this web site that i had to enable "headers_module" and "rewrite_module" and then retart the server, which i did, but i'm still getting this error.
I'm using wampserver 2.2 (apache 2.4.2) on windows 7.
That's most probably because htaccess does not find your file's location.
If you use a relative path, then apache uses the server root which is /etc/apache2 in my case (ubuntu).
Just to be sure, click right on the password file and get the path and paste it to .htaccess. If it still not works, please copy and paste your error log here so that I can exactly see the error.
EDIT
I've seen your last comment now.
Some setups require that you store the encrypted version of the password. So for instance, instead of storing the password as
myuser:111
you should store like:
myuser:$apr1$E6YrxcHU$ilyC2mqfNSrQmle4KEAeq.
I don't have a Windows at hand right now so I cannot check it but earlier versions of Wamp had a password generator for .htpasswd under c:\wamp\Apache2\bin\htpasswd.exe. Try to check that program.
Otherwise, apache uses md5 by default to encrypt passwords. You can encrypt programmatically your password and then copy it to the password file.
I even blogged about this :)
Please let me know if it still doesn't work.
Actually it could well be that you have installed wamp into 'program files'
There are a few bits of Apache and PHP that dont like living in a folder structure that has a space in one of the folder names.
It is recommended that you install it to C:\wamp or D:\wamp or any drive you like but not one with a space in any folder name.

htpasswd is bypassing when click cancel

in my htaccess I have below code which is used to save admin* area.
If I give wrong username password it keeps poping up for correct usrename but if I press cancel I can see my restriced area instead loading error page, what is wrong? thanks
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /home/mydirectory/.htpasswds/.htpasswd
AuthGroupFile /dev/null
<Files admin*>
require valid-user
</Files>
Your .htaccess doesn't protect for anything else than admin*.
If you have auto index option enabled for example, it doesn't match the pattern (but having DirectoryIndex set to adminindex for example do so).
Maybe the authentication prompt is related to a resource needed by the page (JS, css, image, favicon) and not the page itself.
Could you try to inspect HTTP response using curl or apache logs ?
This might give you a hint.
curl -vso/dev/null http://localhost/test/
I had this same issue. For me the problem was a RewriteRule in the htaccess folder in a directory above the one that was password protected.
I resolved my issue by adding RewriteEngine off to the top of the htaccess in the folder I was password protecting.
I found that this behavior occurred when .htaccess was present in the parent directory but not in the actual directory being accessed. Placing another .htaccess file in the directory being accessed stopped this behavior.
If you're using wordpress, it's a known issue. Solution here