I have written a .htaccess file and I am able to authenticate a the username and password correctly. But when I click cancel during the htaccess authentication, I get an "Access Error - Unauthorized" or a server error message.
firstly I am not sure what the error code is. I tried the following
ErrorDocument 400 /400.html
I also tried with the error codes 401, 403, 404, 500 but still that error persists.
My htacess file looks like this.. I have used the < files > tag to enforce the authentication for different html files.
AuthType Basic
AuthName "prompt"
AuthUserFile /.htpasswd
Require user mike
Do I need to place the "ErrorDocument" for every html file that I am trying to protect or just one "ErrorDocument" statement at the end would suffice for all the files that I am trying to protect..?
There are two rules you may have forgotten.
The error page itself must not be protected by .htaccess. It must be reachable.
The path to the ErrorDocument files counts from document root.
If you obey the rules, the code works (just tested it). This is what my sucessfull test involved:
Files:
/protected/.htaccess
/protected/.htpasswd
/401.php
.htaccess
ErrorDocument 401 /401.php
AuthType Basic
AuthName "My Protected Area"
AuthUserFile protected/.htpasswd
Require valid-user
Related
I tried to implement this code into my .htaccess on wordpress.
Everything works fine but when you get access, it throws an 500 Error and redirects me to my hosting park website. It seems that it doesn't load the content. Not sure if the problem is that the path I'm providing doesn't contain the actual content.
SetEnvIf Request_URI ^/quetecalles require_auth=true
AuthUserFile /kaycho.com/wp-admin/.htpasswrd
AuthName "Password Protected"
AuthType Basic
Order Deny,Allow
Deny from all
Satisfy any
Require valid-user
Allow from env=!require_auth
The snippet is based on this article
Error 500 protecting a single url with .htpasswd
AuthUserFile /kaycho.com/wp-admin/.htpasswrd
The file-path to your password file looks incorrect. This needs to be an absolute filesystem-path, not a root relative URL-path (which is what this looks like). If the path is incorrect and the password file cannot be found then you'll get a 500 Internal Server Error response when submitting the user/password.
Ideally, this should be a file-path outside of your document root directory - that is naturally inaccessible to user requests. It should not be in the same location as the .htaccess file implementing the protection.
Reference:
https://httpd.apache.org/docs/2.4/mod/mod_authn_file.html#authuserfile
I tried to implement this code into my .htaccess on wordpress.
Everything works fine but when you get access, it throws an 500 Error and redirects me to my hosting park website. It seems that it doesn't load the content. Not sure if the problem is that the path I'm providing doesn't contain the actual content.
SetEnvIf Request_URI ^/quetecalles require_auth=true
AuthUserFile /kaycho.com/wp-admin/.htpasswrd
AuthName "Password Protected"
AuthType Basic
Order Deny,Allow
Deny from all
Satisfy any
Require valid-user
Allow from env=!require_auth
The snippet is based on this article
Error 500 protecting a single url with .htpasswd
AuthUserFile /kaycho.com/wp-admin/.htpasswrd
The file-path to your password file looks incorrect. This needs to be an absolute filesystem-path, not a root relative URL-path (which is what this looks like). If the path is incorrect and the password file cannot be found then you'll get a 500 Internal Server Error response when submitting the user/password.
Ideally, this should be a file-path outside of your document root directory - that is naturally inaccessible to user requests. It should not be in the same location as the .htaccess file implementing the protection.
Reference:
https://httpd.apache.org/docs/2.4/mod/mod_authn_file.html#authuserfile
I have a shared hosting server where each subdomain is in its folder in root. The www.domain.com is in the /www folder, the subdomain.domain.com subdomain is in the /subdomain folder, etc.
What I want right now, is to restrict access to subdomain.domain.com with a .htaccess password, but show a customized message for users who don't have a password. And I can't get Apache2 to read the 401 error document. I have found some common troubleshooting saying that the file has to be readable, which in my case it definitely is.
So, the only two places where I can put the auth file in this configuration, since /subdomain is protected, is either under the /www folder, or in the root (like /401.html), which I have no idea if it makes any difference. But in both cases, those are folders obviously readable by Apache2, because I am using them, I am using the other (main) domain for PHP scripts, and I am getting error logs in the root, the file permissions are the same as on the 404 document (which works), and the owner is the same.
And I don't think my hoster is disabling me from using custom 401 error documents (I am already successfully using custom 404 and 500 documents), because only when I try to specify a 401 document, I get an additional row in my error output that says Additionally, a 401 Authorization Required error was encountered while trying to use an ErrorDocument to handle the request.. As if it's trying to do it, but there is something else in the way.
What could it be, and what should I try?
EDIT:
This is the contents of the .htaccess file:
Options +Indexes +FollowSymLinks
RewriteEngine On
RewriteRule ^([^\.]+)$ index.php?data=$1 [QSA,L]
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /subdomain/.htpasswd
AuthGroupFile /dev/null
require valid-user
ErrorDocument 404 /tpl/errors/404.php
ErrorDocument 500 /tpl/errors/500.php
ErrorDocument 401 /auth_alpha.html
And what I'm noticing right now pasting this, is that my 404 messages are an absolute path starting with the http address, not the root of the file system, which means that if I start the 401 error document with a /, it will try to read it from the same domain? Which makes little sense to me, because it should be an Apache2 directive, not a browser directive, right? Anyway, when I tried putting ../auth_alpha.html instead of /auth_alpha.html, then the browser outputs ONLY the string ../auth_alpha.html on the page.
You need to exclude ErrorDocument URLs from authentication:
ErrorDocument 404 /tpl/errors/404.php
ErrorDocument 500 /tpl/errors/500.php
ErrorDocument 401 /auth_alpha.html
Options +Indexes +FollowSymLinks
RewriteEngine On
RewriteRule ^([^.]+)/?$ index.php?data=$1 [QSA,L]
SetEnvIfNoCase Request_URI ^/(auth_alpha\.html$|tpl/errors/) NO_AUTH
# force auth for everything except ErrorDocument URLs
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /subdomain/.htpasswd
AuthGroupFile /dev/null
Require valid-user
Satisfy any
Order deny,allow
Deny from all
Allow from env=NO_AUTH
I have the following code to protect my application:
.htaccess:
AuthType Basic
AuthName "My Protected Area"
AuthUserFile .htpasswd
Require valid-user
.htpasswd:
username:$apr1$Am/5PMEt$JofEYwKBM8rhEnsoLndir/
The .htpasswd file is in the same directory as the .htaccess file.
It does ask me for authentication, but then gives me a 500 server error. I just used this tool, so I am wondering what I might be doing wrong?
Thanks!
Try changing the .htpasswd to use the full path starting from / and using this tool instead: http://www.askapache.com/online-tools/htpasswd-generator/
AuthType Basic
AuthName "My Protected Area"
AuthUserFile /var/www/public_html/full/path/to/.htpasswd
Require valid-user
Satisfy All
Otherwise it sounds like the error is being caused by some other issue. Likely 1 of 2:
The permissions on the .htaccess or .htpasswd file are bad
There is some other error like a rewrite or something in a .htaccess or php error
You need to cause this error to happen again, and then view your /var/log/httpd/error_log file (or named something similar) which will tell you the reason for the 500 error.
I+m trying make a folder on my server protected by .htaccess & .htpasswd. When I try to enter the folder in question I'm asked for a password like I want. But then when the page is loaded I get a 500 error, which also happens on all pages on my site now. With ErrorDocument 500 it says:
This webpage has a redirect loop
The webpage at http://example.com/test/folder/ has resulted in too many redirects.
...
This is what my .htaccess file looks like:
ErrorDocument 500 http://81.18.24.170/test/appload/
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /test/folder/admin/.htpasswd
require valid-user
Can anyone see a problem or something that I've missed to make it work?
EDIT: I had the rewrite rule to prevent the 301 error I get for to many redirects. (Found in another solution but it didn't help.) So I just want to get rid of the 500 error.
When you are putting the file path for the AuthUserFile, make sure you use the FULL filepath from your root directory, for example:
AuthUserFile /var/www/html/test/folder/admin/.htpasswd
A similar issue was discussed in this thread:
htaccess / htpasswd in subdir