I've been working through "PHP, MySQL, JavaScript, & CSS" by Robin Nixon, and have hit a brick wall with the Basic Authentication in PHP section: the login pop-up won't accept a correct username and password and instead loops. So I tried editing the server's config settings. I'm using the Apache2 server, and have (I think) set up authentication and authorization through configuring httpd.conf and .htaccess, but I am now getting a 500 internal server error. I'm new to php so it's perhaps likely that i have missed a step or misunderstood a step, so any assistance would be greatly appreciated!
In httpd.conf i have added the following:
<Directory "...\Apache2/htdocs">
AuthType Basic
AuthName "Authentication Required"
AuthUserFile "...Apache2\passwd"
Require valid-user
Options FollowSymLinks
AllowOverride AuthConfig
Order deny,allow
Allow from all
</Directory>
Is this where i am going wrong?
Related
I'm trying to protect an older TYPO3 8.7 backend (/typo3) via an AuthType basic part in the normal TYPO3 .htaccess file.
I always end up with internal server errors.
Has anyone done this before ?
Is it possible that this could not wor with the symlinks ?
I am puting this part of code on top of my .htaccess (before all the rwrite stuff starts):
SetEnvIf Request_URI ^.*/typo3.* require_auth=true
AuthType basic
AuthName "Admin Schutz"
AuthUserFile /usr/etc/.htpasswd
#Order Deny,Allow
#Deny from all
#Satisfy any
Require valid-user
Allow from env=!require_auth
Thanks for any hints!
Assuming that your /usr/etc/.htpasswd file is accessible and valid (created properly with htpasswd command and chmoded to 644) your sample should work for Apache 2.2, but not in Apache 2.4 according to comments in this post. Literally in 2.4 it will work, but will require password also for your root domain.
There are two solutions. First is placing additional .htaccess files in your typo3 directory with simple rule, i.e. as shown by #Naderio:
AuthType basic
AuthName "Secret area!"
AuthUserFile /usr/etc/.htpasswd
require valid-user
Order deny,allow
Deny from all
Satisfy ANY
However, if you created a typo3 symlink to sources as suggested in TYPO3's documentation and/or you don't want to require BasicAuth for all projects which uses the same sources, you can override these settings directly in VHOST configuration like (assuming that you have all your TYPO3 projects i.e. in /www/typo3/ folder:
<VirtualHost *:80>
ServerAdmin your#email.tld
DocumentRoot "/www/typo3/project-x.loc"
ServerName project-x.loc
# below your valid paths for log files...
# ErrorLog "logs/project-x.loc-error_log"
# CustomLog "logs/project-x.loc-access_log" common
<Directory "/www/typo3/project-x.loc">
Options Indexes FollowSymLinks ExecCGI Includes
AllowOverride All
Require all granted
</Directory>
<Directory "/www/typo3/project-x.loc/typo3">
AuthType basic
AuthName "Restricted in VHOST config!"
AuthUserFile /usr/etc/.htpasswd
require valid-user
Order deny,allow
Deny from all
Satisfy ANY
</Directory>
</VirtualHost>
Note: I'd check anyway if the path you are trying to use /usr/etc/ is accessible for Apache at all, maybe it will be better moving your .htpasswd file somewhere closer to your www structure like to folder /www/etc/ and fix the above rules accordingly?
Should work with:
AuthType basic
AuthName "Secret area!"
AuthUserFile /usr/etc/.htpasswd
require valid-user
Order deny,allow
Deny from all
Satisfy ANY
An internal server error is thrown, e.g. if your path to the AuthUserFile isn't correct.
Here i've written down my snippet for my personal public documentation:
https://www.entwicklertools.de/snippet-sammlung/htaccess-snippets/passwortschutz-einrichten/
Thanks to all replies.
finally we also did this in the vhost by the following code using the "location"-tag.
<Location /typo3/>
AuthType Basic
AuthName "Enter Password"
AuthUserFile /www_data/.htpasswd4xyz
Require valid-user
</Location>
In case you can't edit the vhost config,
this line shoud work istead of your SetEnvIf in your .htaccess, intoo:
SetEnvIfNoCase Request_URI ^/typo3/$ require_auth=true
I have a server running, and setup an htaccess file. Everything works and it does require a password to gain access to the folder I set, but once the password is used, it has never required verification again. Seems insecure, so I'm wondering how to require re-entering a password. Like some kind of time-out on the access, but I don't know what to look for, and all I've found is people trying to stop needing a password all the time.
Please help with either a solution, or point me in the right direction for what I need to be searching for.
I am using ssl, and .httaccess file with basic auth setup in the apache config file.
<Directory "/var/www/html">
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>
As I know, apache/HTTP authentication don't gives you control.
After first authentication, your server cannot instruct the browser to logout or timeout. HTTP authentication does not work with session/cookies and the browser shall continually send authentication credentials.
To logout you should close the browser.
looking in Apache webpage: AuthDigestNonceLifetime Directive could be useful the value is in seconds for the time. i use 300 here.
<Directory "/var/www/html">
AuthType Digest
AuthName "Restricted-Content"
AuthDigestDomain "http://127.0.1.2"
AuthDigestProvider file
AuthUserFile /etc/apache2/.htpasswd
AuthDigestNonceLifetime 30
Require valid-user
</Directory>
Also you will have to use the htdigest command to generate the .htpasswd file
htdigest -c /etc/apache2/.htpasswd Restricted-Content username
then set the password
then set the AuthDigestDomain to your URL or IP
this conffiguration can only work with the degest based authentication. although the user must clear their browser cache manually.
but i would recommend you switch to a different method for autentication, unless its the only option for the application
I saw this and I'd love to know how to recreate it. Unfortunately, I don't know .htaccess.
Upon viewing an image, there was an HTTP Basic Auth style dialog that asked to enter some sort of authentication (albeit nothing actually submitted anywhere).
I'm sorry for the skid question, but I'd really love some insight as to how this can be done using .htaccess or .htpasswd.
Thanks.
In your apache site conf, add something like:
Alias /image /path/to/img
<Directory "/path/to/img">
AuthType Basic
AuthName "LoginImage"
AuthUserFile /path/to/.htpasswd
Require valid-user
</Directory>
Then, create the .htpasswd file with:
htpasswd -c .htpasswd someusername
and you'll be prompted to create a password.
sorry to ask this again, I know that it's been asked before but I've literally read every discussion for trouble shooting and I'm still having problems
heres my code:
AllowOverride AuthConfig
AuthUserFile path/index/.htpasswd
AuthType Basic
AuthName "restricted area"
AuthGroupFile /dev/null
require valid-user
whenever I delete the .htaccess from the server the pages run normally but when I re-add the .htaccess I get the internal server error. It's really weird because occasionally an enter your password window comes up even but when I enter the password the window reappears, as if the password was entered incorrectly, and when I reload the page I get the 500 server error. Thanks in advance for the much needed help!!!
This line:
AllowOverride AuthConfig
Is probably what's causing you the error. The AllowOverride directive tells apache what is allowed to be used in things like htaccess files. So obviously, it's not something you can set in your htaccess file. AllowOverride needs to be in the server or vhost config, and the AuthConfig part of it tells apache that you can have auth directives (like AuthType, AuthName, etc) in an htaccess file.
I've been testing usage of apache authentication, following this example.
I'm using Ubuntu/Apache2.
Inside of my 'site', /etc/apache2/sites-enabled/playcat, which is pointing to /home/playcat/public_html, I entered following:
<Directory "/home/playcat/public_html/backend">
AuthType Basic
AuthName "Restricted Content"
AuthBasicProvider file
AuthUserFile /home/playcat/passwd/passwords
Require user playcat
</Directory>
Password for user playcat was created via
htpasswd -c /home/playcat/passwd/passwords playcat
Obviously, before that I created passwd folder :).
Now, when I open http://localhost/backend, I get promped for u/p combination. However, when I type it, I get 403 response.
Other than that, server is working a-ok. I have php and mysql installed, and everything works fine.
Did I miss smt?
Thx
p.s. I'm using correct user/pass combo :)
Try to change the
<Directory "/home/playcat/public_html/backend">
to
<Directory /home/playcat/public_html/backend>
That is how it is supposed to be written according to the spec:
http://httpd.apache.org/docs/current/mod/core.html#directory
Here is an example that works for me:
<Directory /path/to/web/site/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order deny,allow
AuthType Basic
AuthName "Restricted Files"
# (Following line optional)
AuthBasicProvider file
AuthUserFile /path/to/htpasswd
Require valid-user
</Directory>