Develop Reference

Should I use the same folder for .htaccess and .htpasswd?

When I choose the same directory for .htaccess and .htpasswd, everything working fine.
But the situation below makes me sad.
I have one .htacces file in the root folder (johan) containing the code below.
AuthName "johan User"
AuthType Basic
AuthUserFile C:/wamp/www/johan/protectthisdir/.htpasswd
Require valid-user
.htpasswd is located at protectthisdir.
When I try to access the johan suddenly getting authentication required message box. But I need it only at protectthisdir. How to do this? Please help.

You should put the .htaccess file in the folder you want to protect, and not the root folder in your case.
The .htpasswd file should not be accessible from a browser so putting it above the DocumentRoot folder is a good idea. So in C:\wamp in your case.
PS:
It would be better to create a Virtual Host for your site to run in, in a completely different folder structure from the default wamp folders See this post for help on that

CakePHP: How to allow password access to one directory with .htaccess

In my CakePHP app, I have a directory of files which I want to allow direct access to with a username/password. For reasons that are overly complicated, placing the directory inside the /webroot folder is not an option. My folder is located here:
/app/parent_folder/folder_full_of_files
So I want to be able to access files directly like this:
http://mysite.com/app/parent_folder/folder_full_of_files/some_file.pdf
I think I need to modify the .htaccess file in the root, and also add another .htaccess file and .htpasswd file in the folder_full_of_files
I have already found this post which asks a similar question... but I can't translate it to my application.
How do I need to modify the root .htaccess file?
What should be in the new .htaccess file. Here's what I've tried, but just results in 500 error...
AuthType Basic
AuthName "restricted area"
AuthUserFile /bla/bla/mysite/app/parent_folder/folder_full_of_files/.htpasswd
require valid-user
What is the correct way to encrypt the password in the .htaccess file?

I got this to work. I had to do a couple things...
I added this to the .htaccess file in root:
RewriteCond %{REQUEST_URI} !^/app/parent_folder/folder_full_of_files
As #Jon pointed out, my original version above had a mistake ([L]).
I also have an .htaccess file in my /app directory. This might be a quirk about my installation because it is not 100% standard. I can't remember if it's there by default, so I'm mentioning it just in case. IF you don't have one in /app skip this step.
I added this to an .htaccess file in the /folder_full_of_files:
AuthType Basic
AuthName "restricted area"
AuthUserFile /bla/bla/mysite/.htpasswd
require valid-user
Make sure the path after AuthUserFile is a fully-qualified path to the .htpasswd file (see next step).
Create the actual .htpasswd file. It's not supposed to be under the document root, but mine is. I think the most important thing is that it's not inside /webroot. I used this command from the terminal and it created the file:
htpasswd -c /path/where/it/should/go/.htpasswd whatever_username
It asks for a plain text password which gets encrypted and written into the file.
That's it. One annoying "gotcha" is that the path in the .htaccess to the auth file must be absolute, which means it will probably have to be edited when moving between local testing and production (unless the two environments are exactly the same). It would be less clunky if relative paths were allowed.

You don't need to modify the htaccess file in your document root at all
Make sure you have AllowOverride AuthConfig or AllowOverride All configured for your /app/parent_folder/folder_full_of_files/ directory. Make sure that the directory also has a properly generated htpasswd file (named .htpasswd). You need to use the htpasswd program to generate it, or any number of online generators.

CentOS Subversion, Basic Auth Password file not working

So i have SVN installed and using HTTPD for a remote repository. All works well, until i use the password file. This is not working at all. Apache's error_log says
(13) Permission Denied: Could not open password file
I have set the passwd file's chmod to 777 and chown to apache, I also set the parent folder of the repo and passwd file to chown apache and chmod 777...
I have no clue how this is a permissions problem anymore... any help please!!
UPDATE
I took SVN out of it, and just implemented a standard basic auth on one of my domains
<VirtualHost *:80>
ServerName domain.com
ServerAlias www.domain.com
DocumentRoot "/var/www/www.domain.com/public_www"
<Directory "/var/www/www.domain.com/public_www">
Options -Indexes
Order allow,deny
Allow from all
AllowOverride All
AuthType Basic
AuthName "Basic Authentication"
AuthUserFile /path/to/authfile.htpasswd
Require valid-user
</Directory>
</VirtualHost>
I created the password file like this
htpasswd -cm /path/to/authfile.htpasswd username
password (and retype)
And finally
service httpd restart
Lo and behold, the auth prompt works as before, but the username and password DOES NOT! This is rather frustrating, i have double checked all the permissions, owners etc of the password file and parent folder, but i still get
(13) Permission Denied: Could not open password file
In the error_log for Apache

If you're on a Red Hat Enterprise Linux/Centos/Fedora system and you create your htpasswd file outside of /var/www/html directory, owned by apache, you'll also have problems with SELinux context/lables of the htpasswd file. You can check the current context/label of htpasswd with the -Z option passed into the ls command.
ls -Z
The htpasswd file should have a type of httpd_sys_content_t. you can change this with this command:
chcon -t httpd_sys_content_t htpasswd
More info on Relabeling Files for SELinux:
https://wiki.centos.org/HowTos/SELinux#head-0f6390ddacfab39ee973ed8018a32212c2a02199

Maybe a bit of an obvious slap in my face:
I had previously been putting /path/to/authfile.htpasswd out side of apaches home folder /var/www, when I put the password file in /var/www/svn-auth/*.htpasswd than it worked.
Regardless of chown (apache owning /svn-auth and .htpasswd files within) it was probably being denied because it's likely that apache's (as a user) home folder is /var/www/* and was being denied access outside of it...
Lesson learned

htaccess doesn't work - always wrong password

I am trying to password protect a directory, and have two files in the directory which should password protected it:
.htaccess
.htpasswd
HTACCESS:
###Contents of .htaccess:
AuthUserFile /var/www/html/path/to/my/directory/.htpasswd
AuthName "Protected Files"
AuthType Basic
Require user admin
HTPASSWD:
###Contents of .htpasswd
admin:oxRHPuqwKiANY
The password is also admin, but no matter what password I try, it is always wrong. It immediately asks for the password again!
What is wrong with this configuration?

This problem is almost always because apache cannot read the .htpasswd file. There are four causes that come to mind:
it isn't parsing the path correctly... how did you create the .htaccess file? Does it have unix line endings (versus say using Notepad in Windows?
is the path correct? What does the following command (with the path update) show?
ls -l /var/www/html/path/to/my/directory/.htpasswd
does the web server have access to the file? chmod 644 and see if that solves the problem.
it can't parse the .htpasswd file: in this case, you are using the crypt() encryption so it does seem you created the file on Linux and it is probably fine. Some types of encryption only work on certain platforms, if in doubt try switching to MD5.
You may find helpful messages in the Apache error log.
My money is on #3.

I had a similar issue using MAMP and it was because i was creating .htpasswd by hand. Solution was to use htpasswd command in terminal:
htpasswd -bc .htpasswd someuser somepass
this created the .htpasswd file which worked fine with my .htaccess file which looked like so:
AuthType Basic
AuthName "This site is in alpha and requires a password."
AuthUserFile "/Applications/MAMP/htdocs/mywebsite/.htpasswd"
require valid-user

There's a small chance you're seeing password protection from a parent folder, not the folder you expect.
If your /etc/apache2/sites-enabled folder has only one file in it, check to see if it has a section for your sites folder, something like:
<Directory /var/www/mysite.com>
AllowOverride All
</Directory>
otherwise, if it has a file for your site name, like:
/etc/apache/sites-enabled/YOUR_SITE_NAME_HERE.conf
edit that file instead, and make sure that there's an
AllowOverride All
in there. That's the important part! If you want to only allow the minimum, specify:
AllowOverride AuthConfig
instead.

I had the same problem. Turned out the issue was this line:
Require user admin
If you specify admin you can only access the directory with admin even if you have other users in the .htpasswd file.
If you want to specify the users in the .htpasswd file, you can change the line to:
Require valid-user

My problem was that I did not give an absolute path for the AuthFile line.

I had the same issue.
The password should have specified encryption:
CRYPT_STD_DES - Standard DES-based hash with a two character salt from the alphabet "./0-9A-Za-z".
function standard_salt(){
$a = array_merge(range(0,9),range('a','z'),range('A','Z'));
return (string) $a[rand(0,count($a)-1)].$a[rand(0,count($a)-1)];
}
echo(crypt("admin",standard_salt()));
example:
admin:dsbU.we73eauE
Online javascript encripter is also available.
If it still does not work, take care of these:
use unix linebreaks
use correct AuthUserFile path, You can get it using: echo $_SERVER['DOCUMENT_ROOT'];
set file readable: chmod(".htpasswd",0644);

Also, make sure your password file is ANSI-encoded.

I spent about 2 hours to resolve the same issue. But problem was in nginx.
I have nginx as front web server and there was a line for proxy configuration:
proxy_set_header Authorization "";
It overrides Authorization field and apache don't receive login and password typed in.
I just commented out this line and it worked.

use
htpasswd -b .htpasswd admin admin
to use the password from command line.

Also, if you are scatterbrained like me, make sure you have some content to display, like some index.html file in the directory. Otherwise, it will look like authentication failed, while it's just that the server is not allowed to display the directory listing.

How do I remove HTTP authentication on a website on a FreeBSD Server?

Sorry that I haven't done much of my own research but I do not know how to set up basic authentication, nevermind removing it!
Thanks.
EDIT:
Sorry, what was I thinking, its in httpd.conf or includes!

This is more a question for ServerFault, but I'm going to carry on and assume you're using Apache on FreeBSD.
The authentication is set in either the httpd.conf (main Apache configuration file) or a .htaccess file in the directory that serves the protected content.
In the httpd.conf file, you'll come across a Directory or Location statement which matches, respectively, either the physical filesystem directory where the protected content is stored, or the URI of the protected content.
In either case, the authentication is a set of lines beginning with Auth. Simply comment those out - if they're in the httpd.conf file, you'll need to restart your Apache server, if in a .htaccess file it should take effect right away.
Examples:
In httpd.conf, files in /srv/www/protected are protected by authentication:
<Directory /srv/www/protected>
AuthType basic
AuthName "My Protected Site"
...
</Directory>
Or, within the /srv/www/protected directory in a file called .htaccess:
AuthType basic
AuthName "My Protected Site"
...