Error 500 protecting a single url with .htpasswd - .htaccess

I tried to implement this code into my .htaccess on wordpress.
Everything works fine but when you get access, it throws an 500 Error and redirects me to my hosting park website. It seems that it doesn't load the content. Not sure if the problem is that the path I'm providing doesn't contain the actual content.
SetEnvIf Request_URI ^/quetecalles require_auth=true
AuthUserFile /kaycho.com/wp-admin/.htpasswrd
AuthName "Password Protected"
AuthType Basic
Order Deny,Allow
Deny from all
Satisfy any
Require valid-user
Allow from env=!require_auth
The snippet is based on this article
Error 500 protecting a single url with .htpasswd

AuthUserFile /kaycho.com/wp-admin/.htpasswrd
The file-path to your password file looks incorrect. This needs to be an absolute filesystem-path, not a root relative URL-path (which is what this looks like). If the path is incorrect and the password file cannot be found then you'll get a 500 Internal Server Error response when submitting the user/password.
Ideally, this should be a file-path outside of your document root directory - that is naturally inaccessible to user requests. It should not be in the same location as the .htaccess file implementing the protection.
Reference:
https://httpd.apache.org/docs/2.4/mod/mod_authn_file.html#authuserfile

Related

Showing Internal Server Error if i use .htaccess to enable the password procted folder [duplicate]

I tried to implement this code into my .htaccess on wordpress.
Everything works fine but when you get access, it throws an 500 Error and redirects me to my hosting park website. It seems that it doesn't load the content. Not sure if the problem is that the path I'm providing doesn't contain the actual content.
SetEnvIf Request_URI ^/quetecalles require_auth=true
AuthUserFile /kaycho.com/wp-admin/.htpasswrd
AuthName "Password Protected"
AuthType Basic
Order Deny,Allow
Deny from all
Satisfy any
Require valid-user
Allow from env=!require_auth
The snippet is based on this article
Error 500 protecting a single url with .htpasswd
AuthUserFile /kaycho.com/wp-admin/.htpasswrd
The file-path to your password file looks incorrect. This needs to be an absolute filesystem-path, not a root relative URL-path (which is what this looks like). If the path is incorrect and the password file cannot be found then you'll get a 500 Internal Server Error response when submitting the user/password.
Ideally, this should be a file-path outside of your document root directory - that is naturally inaccessible to user requests. It should not be in the same location as the .htaccess file implementing the protection.
Reference:
https://httpd.apache.org/docs/2.4/mod/mod_authn_file.html#authuserfile

.htaccess AuthType Basic FilesMatch all but maintenance.html for 401 and 403

We are doing some major work on our site and we want to restrict access to all files except a maintenance page. We want all users to be directed to that page if the cancel or fail the authorization request.
ErrorDocument 401 /home/user/public_html/maintenance.html
ErrorDocument 403 /home/user/public_html/maintenance.html
<FilesMatch ^>
AuthName "Authorized Only"
AuthType Basic
AuthUserFile .htpasswd
require valid-user
</FilesMatch>
<Files "/home/user/public_html/maintenance.html">
Allow from all
</Files>
This code doesn't seem to work, users are sent to a page saying:
Unauthorized
This server could not verify that you are authorized to access the document requested.
Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't
understand how to supply the credentials required.
Additionally, a 401 Unauthorized error was encountered while trying to use an ErrorDocument
to handle the request.
There are a number of issues with the code you posted:
<Files "/home/user/public_html/maintenance.html">
The <Files> directive matches file basenames only, not the entire filesystem path. eg. just maintenance.html. So, the above will never be successful.
ErrorDocument 401 /home/user/public_html/maintenance.html
The ErrorDocument takes a root-relative URL-path, not an absolute filesystem path. eg. /maintenance.html.
AuthUserFile .htpasswd
However, the argument to the AuthUserFile directives should be an absolute filesystem path, not a relative path as given above. (A relative path is technically valid, but it's relative to the ServerRoot and you probably don't have access to put files directly in the server root! That's the ServerRoot as defined in the Apache config, not the root directory of your server.)
Solution
Instead of using a separate <Files> container to "allow" access, you can use a negative lookahead to exclude that particular file from triggering the password prompt.
For example:
ErrorDocument 401 /maintenance.html
<FilesMatch "^(?!maintenance\.html$).*">
AuthName "Authorized Only"
AuthType Basic
AuthUserFile /absolute/filesystem/path/to/.htpasswd
Require valid-user
</FilesMatch>

AuthUserFile in htaccess can be url?

i have this htaccess :
AuthType Basic
AuthName " Vip User Only
AuthBasicProvider file
AuthUserFile c:\inetpub\htpasswd
Require valid-user
<FilesMatch ".(jpg|gif|png|tiff|jpeg|html)$">
Allow from any
Satisfy any
</FilesMatch>
i want to remotely read htpasswd from another server ?
e.g : this htpasswd is in Server A and i want too use htaccess in Server B with Server A's htpasswd !
is this possible ?
See the documentation of AuthUserFile
File-path is the path to the user file.
There's no mention of URI anywhere. To the contrary, it advises (rightly!) to make the file inaccessible from the web
Security
Make sure that the AuthUserFile is stored outside the document tree of the web-server. Do not put it in the directory that it protects. Otherwise, clients may be able to download the AuthUserFile.
Otherwise anybody could download the file, and crack all your passwords.

Symfony2 simple .htaccess password protect for dev purpose

I would like to use a .htaccess file to protect my symfony2 website while developing it.
I added the following line at the beginning of my .htaccess located in /web and a .htpasswd file just next with my password.
AuthName "Développement"
AuthType Basic
AuthUserFile ".htpasswd"
Require valid-user
I have a Error 500 when I try to access my website. Is it possible to use a htaccess in my case ? What should I use if it is not posible ?
Assuming the 500 error is caused by these directives, the most likely reason is the path to .htpasswd. AuthUserFile says
The AuthUserFile directive sets the name of a textual file containing the list of users and passwords for user authentication. File-path is the path to the user file. If it is not absolute, it is treated as relative to the ServerRoot.
So either use an absolute path (e.g. /var/www/.htpasswd) or add the complete path starting from your document root (e.g. web/.htpasswd).
Also note the last section in AuthUserFile
Security
Make sure that the AuthUserFile is stored outside the document tree of the web-server. Do not put it in the directory that it protects. Otherwise, clients may be able to download the AuthUserFile.
This means, store the auth file somewhere else, like /etc/apache2/htpasswd.

problem protecting a directory using .htaccess

I have created a .htaccess and .htpasswd files, and stored them in the folder I want to protect and when I navigated to that folder, I was asked for the username and passowrd (stored in the .htpasswd file) after entering the username and password, I got a 500 Internal server error. I have used the files on both localhost (windows) and on a web server (linux I guess) both gave the same result mentioned.
this is my .htaccess file:
<Files ~ "^\.(htaccess|htpasswd)$">
deny from all
</Files>
AuthUserFile /.htpasswd
AuthGroupFile /dev/null
AuthName "Please enter your ID and password"
AuthType Basic
require valid-user
order deny,allow
I doubt that your .htpasswd file is really located at the very root of the server's filesystem along with /bin, /usr, /home, and others (rather than inside the part of the filesystem served to web browsers).
According to Apache documentation (1, 2), AuthUserFile expects a file path (as if you were in ServerRoot, usually /usr/apache or similar, and trying to locate the file from the Unix shell). It cannot be a URL, either absolute or relative. Correct your .htpasswd file path accordingly.
Note that if possible, you shouldn't put the .htpasswd file inside a public_html or htdocs folder, because any configuration error could not only allow unauthorized access to the files you want to protect but also the authorized usernames and hashed passwords.
Use an absolute hosting path, eg:
/home/content/14/5267714/html/.htpasswd

Resources