Internal Server Error when trying to password protect my website - .htaccess

I am trying to password protect my whole website temporarily, using .htaccess and .htpasswd
The .htaccess file reads:
AuthUserFile .htpasswd
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basic
require user xxxxxx
When I try to access the website, an ID and password are requested:
To view this page, you must log in to area “EnterPassword” on xxxxx.com:80.
Then I get this:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, postmaster#xxxx.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
After I typed the password several times, I still get this. Why?
Is it not finding the page where I want to go after I type the password successfully? (the index.php - should this file be linked somewhere?)
Or is it something else?

Related

AuthName in .htaccess not displayed in Chrome

I am trying to secure a website with an .htaccess file with Apache2. It works well but the message specified with the AuthName line is not visible on Chrome (but it is visible on Firefox !). What should I do to make it visible on Chrome?
Here is my .htaccess file
AuthType Basic
AuthName "Restricted Access"
AuthFile "/etc/apache2/.htpasswd"
Require valid-user
On Firefox the pop-up tells
The site ... is requesting your username and password. The site says: "Restricted Access"
But on Chrome it only tells
Sign in
What should I do to make it visible on Chrome?
There is nothing you can do.
The browser decides whether it wants to display this information to the user in some way, or not.
The phrasing used in the Apache documentation already hints at that (highlights by me) -
https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authname:
The string provided for the AuthName is what will appear in the password dialog provided by most browsers.
https://httpd.apache.org/docs/2.4/howto/auth.html#gettingitworking:
The AuthName directive sets the Realm to be used in the authentication. The realm serves two major functions. First, the client often presents this information to the user as part of the password dialog box. Second, it is used by the client to determine what password to send for a given authenticated area.
Here is a workaround which can give some info for your unlucky visitor, using custom error document feature after the login attempt fails:
Put this line into your .htaccess file:
ErrorDocument 401 YYYY-MM-DDTHHMM-Site-update-under-way-Estimate-30-min
The continuous text seems to get displayed after login fails or is canceled. No dots (.) or colons (:) allowed. Of course it should represent a valid filename, but if the user has no access to public_html due to login fail a file maybe can't be served anyway. If You can serve a proper 401 error page, You can explain the situation there.
(edit 1) Maybe this behaviour is a curiosity in my case with shared hosting. The shared server there seems to be nginx which I guess "is forced" to accept .htaccess directives.
(edit 2) Confirmed this behaviour also with Apache 2.4 server

PHP | .htpasswd | Can not login custom admin page with same username and password

I use a free shared php web server for my site. my site's url end was p.ht and for some issues it changed to w.pw
In order to make my site working properly again, by using Notepad++ I used "Find in Files" subwindow which is in ctrl+F popup window. I replaced each occurence of p.ht with w.pw.
My site then started to work properly again with no problem in terms of viewing.
however after this change, after a while I needed to logon my custom admin page (approve comments, articles etc)
I created it with .htaccess with main commands below:
AuthUserFile /home/u999999999/public_html/.htpasswd
AuthName "Log In"
AuthType Basic
Require valid-user
RewriteEngine On
RewriteBase /adminfolder/
just before URLs changed, everything was working on my site properly, I was able to login to my admin account from my firm computer. But know despite the same password and username I can't logon. I changed the password, uploaded new file but again I couldn't logon.
What can be the problem?
my firm firewall, security politics update etc?
A changed php server property in free shared web server?
A ctrl+Replace mistake somehow?
I also entered the password by keyboard and by copy-paste.
Can you please guide me for my situation. Where should I look, what new action can I try in order to detect my failure mode?
best regards

Using .htaccess and .htpasswd gives empty pages

I'm trying to password protect a webpage, say index.html that's located at mysite.com/mysubfolder/index.html. How I've done this, is I've placed both a .htaccess and a .htpasswd file in the directory public_html/mysubfolder/, with .htacess containing the following:
AuthName "Secure Area"
AuthType Basic
AuthUserFile /public_html/mysubfolder/.htpasswd
Require valid-user
Now, when I type in www.mysite.com/mysubfolder into the address bar, I get the prompt to type in the user name and password, which I do, with the credentials that generated my .htpasswd file. But when I do, an empty page shows up - no error or warning, just a white page. I have other folders inside this directory, and for them too nothing shows up, when I try to access them directly through the address bar. When I click View Page Source, all I see is
<!-- SHTML Wrapper - 500 Server Error -->
I have no idea what to do now. I want everyone who types in that webpage or clicks through a link to it (mysite.com/mysubfolder/index.html or mysite.com/mysubfolder)to have to type in the specific credentials I have chosen. Am I doing something wrong? Maybe there is a better way? Thanks in advance.

Htaccess/Htpasswd AutoType Basic Doesn't Work in Chrome

Okay, so I'm protecting a webpage with a basic .htaccess/.htpasswd combination.
My .htaccess file looks something like this:
DirectoryIndex index.php
AuthUserFile HOMEDIRECTORY/.htpasswd
AuthName "Restricted Area"
AuthType Basic
require valid-user
Everything works fine under Firefox, but Chrome gives this message. I've tested this on multiple computers.
Authorization Required
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Any idea where Chrome is going wrong?
If you are using a frame redirection between different domains Chrome will not show the login prompt. Use an HTTP 302 or 301 redirection instead.

Digest authentication refuses to accept valid credentials

I'm trying to protect a folder with Digest Authentication through a .htaccess file:
AuthType Digest
AuthName "Restricted Area"
AuthUserFile /web/htdocs/www.domain.com/.../.htdigest
Require valid-user
I've created the file of passwords with the comand "htdigest".
All works fine on my local server ... but not on my remote server (hosted website)!
The browser shows the login panel even if I enter a correct password!
On the remote server PHP is running as CGI not as a module of Apache ... should be this the cause? Is there some workaround?
A Basic Authentication with .htaccess works fine on the same remote server!
If the script is running as CGI, that means it is running as the local user, not as www, which is probably the problem, yes. Is CGI the only option?
The code above is missing the AuthDigestDomain directive, about that the documentation says:
This directive should always be
specified and contain at least the
(set of) root URI(s) for this space.
Omitting to do so will cause the
client to send the Authorization
header for every request sent to this
server. Apart from increasing the size
of the request, it may also have a
detrimental effect on performance if
AuthDigestNcCheck is on.
However, I've definitely solved the problem by enabling the Apache module mod_auth_digest instead of the module mod_digest.

Resources