I have managed to get authentication at least partly set up but am mystified as to why security isn't working...
In my httpd.conf file for ssl I have....
<Directory /usr/local/apache2.2/cgi-bin/oia>
SSLRequireSSL
Satisfy All
AuthType basic
AuthName "Protected Intranet Area"
AuthUserFile conf/.passwd
AuthGroupFile conf/groups
Require valid-user
</Directory>
I do have the user password in the setup and when accessing the page via https://....../cgi-bin/oia, it does correctly prompt me for the user name and password. Problem is if I use the same URL with http:// there's no prompting for a user name or password.
Any advice is greatly appreciated.
Nikki
You could set up a mod_rewrite rule to always forward the http://x.y.com to https://x.y.com (which is probably what you want to do anyway)
Related
I am working in ColdFusion 11 with apache web server in windows hosting I have not more knowledge about basic authenticate and so I have little bit confuse about this
why does basic authentication type store password in
.htpasswd file so
not necessary to store database?
how to redirect request HTTP to https before entering in
password
prompt?
.htaccess file code which is working fine first authenticate completely then this redirect on HTTP to https but I want to set HTTP to https before entering a password here my httpd.config file virtual host code
<VirtualHost 112.192.12.16>
DocumentRoot C:/Apache24/htdocs/enovis53
ServerName test.example.com
ErrorLog logs/enovis-inc.com-error_log
CustomLog logs/enovis-inc.com-access_log common
</VirtualHost>
my .htaccess file code
AuthName "Example CLMS Production (v5.3.0.0)"
AuthType Basic
AuthUserFile "C:\Apache24\htdocs\enovis53\.htpasswd"
require valid-user
if anybody knows this then guide me I don't know this right thing to ask community all suggestion is acceptable thanks in advance
why does basic authentication type store password in .htpasswd file so not necessary to store database?
This is determined by AuthBasicProvider
Syntax: AuthBasicProvider provider-name [provider-name] ...
Default: AuthBasicProvider file
The AuthBasicProvider directive sets which provider is used to authenticate the users for this location. The default file provider is implemented by the mod_authn_file module.
So in your case, no provider is defined, and the default (file) is applied. If you want another provider, e.g. some db, specify dbm, ldap, ...
how to redirect request HTTP to https before entering in password prompt?
Usually, some directive is applied unconditionally, unless restricted somehow. To have the password requested only when HTTPS is active, you may try to enclose the Auth directives or at least the Require inside an If
<If "%{HTTPS} == 'on'">
AuthName "Example CLMS Production (v5.3.0.0)"
AuthType Basic
AuthUserFile "C:\Apache24\htdocs\enovis53\.htpasswd"
require valid-user
</If>
But now, all content is accessible without password, when requested via http://test.example.com. Don't forget to force https!
Unrelated, but note the security warning from AuthUserFile
Security
Make sure that the AuthUserFile is stored outside the document tree of the web-server. Do not put it in the directory that it protects. Otherwise, clients may be able to download the AuthUserFile.
We have our main website: www.example.com.
A partner has created a website: subdomain.theirexample.com and they have pointed it at our IP address.
We want to password protect any traffic coming through on the subdomain whilst leave the original domain open to the public. I've tried adding the below at the top of our htaccess file but we're not getting a password prompt:
SetEnvIf Host ^subdomain\.theirexample\.com$ passreq
AuthType Basic
AuthName "Password Required"
AuthUserFile /home/example/.htpasswd-theirexample
Require valid-user
Require all granted
Deny from env=passreq
Satisfy any
I also tried it simply like:
SetEnvIf Host subdomain.theirexample.com passreq
I am running latest ubuntu with apache.
I have very simple html directory I want to protect using .htaccess.
I am trying to do it with:
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /var/www/dev/docs/.htpasswd
Require valid-user
On my .htpasswd file I have:
user:pass
I get internal server error with this. I've been digging hard but not sure why this is happening.
If I add a this:
<Directory "/var/www/dev/docs">
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /var/www/dev/docs/.htpasswd
Require valid-user
</Directory>
I can't login no matter what I do...
Thanks,
I have the same problem. But after a few trial and error, here's the fix.
You must use the full path to the .htpasswd file.
You must encapsulate the path with quotation marks "home/username/public_html/subfolder/protected/.htpasswd"
An example:
AuthUserFile "/home/username/public_html/subfolder/protected/.htpasswd"
AuthType Basic
AuthName "My restricted Area"
Require valid-user
Error #500 just means the web server isn't understanding something in your .htaccess file. There will be nothing in Apache's error log since the request doesn't even get parsed at this point.
Try putting quotes around the path to the .htpasswd file and note on some hosting companies like cough.. godaddy, 1&1 It may take several minutes for the changes in .htaccess to be picked up.
AuthType Basic
AuthName "Restricted Area"
AuthUserFile "/home/. . . . ./.htpasswd"
require valid-user
I have got same situation on Apache/2.4.6 (CentOS)
Path to htpasswd needs to be taken from $_SERVER['DOCUMENT_ROOT']
Apache has some bug (https://bz.apache.org/bugzilla/show_bug.cgi?id=54735), you need to set password from console like this:
htpasswd -nb username newpassw > <path-to>/.htpasswd
btw in Apache 2.4.6 on CentOS 7 problem still exists
I'm trying to build and test a "m." subdomain for a website I'm working on. "m.domain.com" is simply a cname for "domain.com" and will be used to set a server-side boolean so the mobile version of the site will serve exactly the same pages, just with different css and scripts.
While I'm testing, I want to require a password for all requests made to m.domain.com. I've tried several .htaccess variants on environment variable solutions, and this is what I have right now:
SetEnvIfNoCase Host m\.domain\.com is_mobile
AuthType basic
AuthName "Mobile site"
AuthUserFile ".htpasswd"
Require valid-user
Order allow,deny
Allow from all
Deny from env=is_mobile
Satisfy any
With this code, "domain.com" and "www.domain.com" display normally. "m.domain.com" prompts for a password as expected. However, once it's entered, the server returns a 500 error on any request.
Well, turns out that a little inversion and reordering did the trick.
SetEnvIfNoCase Host ^(www\.)domain\.com$ not_mobile
AuthType basic
AuthName "Mobile site"
AuthUserFile ".htpasswd"
Order deny,allow
Deny from all
Allow from env=not_mobile
Require valid-user
Satisfy any
I'm still curious to know why the other configuration created the 500 error, though, especially since it only occurred for the subdomain I wanted password protected.
Say I have a htaccess file shared by "dev.server" and "server.site.com".
The first domain should allow all users to access it unchallenged (it only exists on my local development server).
The second domain I want to authenticate users with Apache (NOT by database).
The code to authenticate users is:
AuthType Basic
AuthName "Server Admin"
AuthUserFile "/path/to/passwd"
require valid-user
What I can't do is make those 4 lines only matter if the domain is "server.site.com". How can I do this?
I searched for something like <IfEnv HTTP_HOST "site.server.com"> but had no luck.
This appears to work, still need to do some testing on it though.
Order Deny,Allow
Deny from all
SetEnvIf Host domain.for.no.auth dev
Allow from env=dev
AuthUserFile .pwd
AuthType Basic
AuthName MySite
Require valid-user
Satisfy Any
As far as I know, this can't be done in a .htaccess file. You'd have to put this into a Directory or VirtualHost section, both of which can't be used in a .htaccess file.
You would have to define it in two separate files, or directly in the server's configuration in the VirtualHost section.