I am trying to password protect a directory, and have two files in the directory which should password protected it:
.htaccess
.htpasswd
HTACCESS:
###Contents of .htaccess:
AuthUserFile /var/www/html/path/to/my/directory/.htpasswd
AuthName "Protected Files"
AuthType Basic
Require user admin
HTPASSWD:
###Contents of .htpasswd
admin:oxRHPuqwKiANY
The password is also admin, but no matter what password I try, it is always wrong. It immediately asks for the password again!
What is wrong with this configuration?
This problem is almost always because apache cannot read the .htpasswd file. There are four causes that come to mind:
it isn't parsing the path correctly... how did you create the .htaccess file? Does it have unix line endings (versus say using Notepad in Windows?
is the path correct? What does the following command (with the path update) show?
ls -l /var/www/html/path/to/my/directory/.htpasswd
does the web server have access to the file? chmod 644 and see if that solves the problem.
it can't parse the .htpasswd file: in this case, you are using the crypt() encryption so it does seem you created the file on Linux and it is probably fine. Some types of encryption only work on certain platforms, if in doubt try switching to MD5.
You may find helpful messages in the Apache error log.
My money is on #3.
I had a similar issue using MAMP and it was because i was creating .htpasswd by hand. Solution was to use htpasswd command in terminal:
htpasswd -bc .htpasswd someuser somepass
this created the .htpasswd file which worked fine with my .htaccess file which looked like so:
AuthType Basic
AuthName "This site is in alpha and requires a password."
AuthUserFile "/Applications/MAMP/htdocs/mywebsite/.htpasswd"
require valid-user
There's a small chance you're seeing password protection from a parent folder, not the folder you expect.
If your /etc/apache2/sites-enabled folder has only one file in it, check to see if it has a section for your sites folder, something like:
<Directory /var/www/mysite.com>
AllowOverride All
</Directory>
otherwise, if it has a file for your site name, like:
/etc/apache/sites-enabled/YOUR_SITE_NAME_HERE.conf
edit that file instead, and make sure that there's an
AllowOverride All
in there. That's the important part! If you want to only allow the minimum, specify:
AllowOverride AuthConfig
instead.
I had the same problem. Turned out the issue was this line:
Require user admin
If you specify admin you can only access the directory with admin even if you have other users in the .htpasswd file.
If you want to specify the users in the .htpasswd file, you can change the line to:
Require valid-user
My problem was that I did not give an absolute path for the AuthFile line.
I had the same issue.
The password should have specified encryption:
CRYPT_STD_DES - Standard DES-based hash with a two character salt from the alphabet "./0-9A-Za-z".
function standard_salt(){
$a = array_merge(range(0,9),range('a','z'),range('A','Z'));
return (string) $a[rand(0,count($a)-1)].$a[rand(0,count($a)-1)];
}
echo(crypt("admin",standard_salt()));
example:
admin:dsbU.we73eauE
Online javascript encripter is also available.
If it still does not work, take care of these:
use unix linebreaks
use correct AuthUserFile path, You can get it using: echo $_SERVER['DOCUMENT_ROOT'];
set file readable: chmod(".htpasswd",0644);
Also, make sure your password file is ANSI-encoded.
I spent about 2 hours to resolve the same issue. But problem was in nginx.
I have nginx as front web server and there was a line for proxy configuration:
proxy_set_header Authorization "";
It overrides Authorization field and apache don't receive login and password typed in.
I just commented out this line and it worked.
use
htpasswd -b .htpasswd admin admin
to use the password from command line.
Also, if you are scatterbrained like me, make sure you have some content to display, like some index.html file in the directory. Otherwise, it will look like authentication failed, while it's just that the server is not allowed to display the directory listing.
Related
I can't enter my web site www.nationtech.net.
When I am trying to enter my site URL on the browser, they show
http://www.nationtech.net is requesting your username and password. The site says: “Protected Directory”.
here is my .htaccess file code
AuthType Basic
AuthName "Protected Directory"
AuthUserFile "/home/wppasswd"
require valid-user
I am trying to change .htaccess code but they are not save.
What can i do?
If you do not want password protection for your website, just delete this .htaccess file
Just had a webpage hacked and thats exactly what happend. You need to take a couple of steps. I wiped out the account from my server, but server did not allowed me to erase .htaccess file on account folder, and I was even logged in as root. So steps:
Use commands
chattr -i .htaccess
chmod 777 .htaccess
Then you can delete that .htaccess file. It seems that a hacker got into your server, change the attributes so not even a root user can even touch, modify, change attributes at all. Once you remove .htaccess then you can remove the folder containing the file by repeating same procedure.
In my CakePHP app, I have a directory of files which I want to allow direct access to with a username/password. For reasons that are overly complicated, placing the directory inside the /webroot folder is not an option. My folder is located here:
/app/parent_folder/folder_full_of_files
So I want to be able to access files directly like this:
http://mysite.com/app/parent_folder/folder_full_of_files/some_file.pdf
I think I need to modify the .htaccess file in the root, and also add another .htaccess file and .htpasswd file in the folder_full_of_files
I have already found this post which asks a similar question... but I can't translate it to my application.
How do I need to modify the root .htaccess file?
What should be in the new .htaccess file. Here's what I've tried, but just results in 500 error...
AuthType Basic
AuthName "restricted area"
AuthUserFile /bla/bla/mysite/app/parent_folder/folder_full_of_files/.htpasswd
require valid-user
What is the correct way to encrypt the password in the .htaccess file?
I got this to work. I had to do a couple things...
I added this to the .htaccess file in root:
RewriteCond %{REQUEST_URI} !^/app/parent_folder/folder_full_of_files
As #Jon pointed out, my original version above had a mistake ([L]).
I also have an .htaccess file in my /app directory. This might be a quirk about my installation because it is not 100% standard. I can't remember if it's there by default, so I'm mentioning it just in case. IF you don't have one in /app skip this step.
I added this to an .htaccess file in the /folder_full_of_files:
AuthType Basic
AuthName "restricted area"
AuthUserFile /bla/bla/mysite/.htpasswd
require valid-user
Make sure the path after AuthUserFile is a fully-qualified path to the .htpasswd file (see next step).
Create the actual .htpasswd file. It's not supposed to be under the document root, but mine is. I think the most important thing is that it's not inside /webroot. I used this command from the terminal and it created the file:
htpasswd -c /path/where/it/should/go/.htpasswd whatever_username
It asks for a plain text password which gets encrypted and written into the file.
That's it. One annoying "gotcha" is that the path in the .htaccess to the auth file must be absolute, which means it will probably have to be edited when moving between local testing and production (unless the two environments are exactly the same). It would be less clunky if relative paths were allowed.
You don't need to modify the htaccess file in your document root at all
Make sure you have AllowOverride AuthConfig or AllowOverride All configured for your /app/parent_folder/folder_full_of_files/ directory. Make sure that the directory also has a properly generated htpasswd file (named .htpasswd). You need to use the htpasswd program to generate it, or any number of online generators.
I want to password protect my website, but as soon as I add in the .htpasswd and .htaccess files I get a server error:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
Here is the code I'm using:
.htaccess
AuthType Basic
AuthName "Top Secret for SongKick eyes only."
AuthUserFile /webroot/.htpasswd
require valid-user
.htpasswd
songkick:isS1rCTQE/p8E
I've also tried AuthUserFile /.htpasswd (ie. without "webroot", which is the name of the folder it appears to be in File Manager) but this doesn't work either.
I'm using GoDaddy hosting by the way, if that makes a difference.
According to AuthUserFile, you must supply the complete path to your password file, not the relative path from DocumentRoot, if it is absolute (i.e. starting with a slash).
The AuthUserFile directive sets the name of a textual file containing the list of users and passwords for user authentication. File-path is the path to the user file. If it is not absolute, it is treated as relative to the ServerRoot.
Note that ServerRoot is not DocumentRoot.
If DocumentRoot is /var/www and the password file is /var/www/webroot/.htpasswd, you must say
AuthUserFile /var/www/webroot/.htpasswd
in your .htaccess file.
You can find out about the absolute path with a small PHP script, e.g.
<?php
echo "Absolute path: ", getcwd();
Put this in the directory, where you want to locate the .htpasswd file, and call it with http://www.example.com/path/to/test.php
Don't forget to remove the script, when you're done.
Said that, you shouldn't put your password file anywhere accessible in your DocumentRoot. Better put it in some place not accessible from the web, i.e. /etc/apache2/htpasswd or wherever it suits you.
Two things come to mind.
Is .htpasswd readable by the web server user?
Do you know if Apache is set with AllowOverride all to allow .htaccess to operate as intended?
All of the standard answers (full path, correct format, etc) weren't working for me. After a lot of tracking down I found that the permissions on the parent folder were insufficient, so even though the path in .htaccess was correct and the permissions on the file were rw-r-r, still no go because the parent was rwx-rw--. That can be tough to track down on a host that limits access to up stream folders.
Major reason of this error is the "AuthUserFile" path. I was having this same issue and i solved it by going in cpanel. By protecting your folder in cPanel, it automatically detects the htpasswd file.
Go to cPanel->Password Protect Directories->Define directory and then create a user. Hope this help you.
The APache has a bug it is reported here:
https://bz.apache.org/bugzilla/show_bug.cgi?id=54735
You have to set password like this:
htpasswd -nb username newpassw > <path-to>/htpasswd
Simillar problem here:
Apache 2.4 "..authentication failure..:Password Mismatch"
There is a .htpasswd file in a code base I am working on. The corresponding path to in .htaccess is correct in the production environment but the path does not suit my local environment since the server path is different.
Production: AuthUserFile /var/www/sites/some_dir/.htpasswd
Local Dev: AuthUserFile /path/to/htdocs/some_dir/.htpasswd
Is there a way to make the path to .htpasswd variable, or, if you understand what I am trying to do is there some other way to accomplish this? Thank you in advance.
We realize that over the Vhost config
dev.domain uses our dev htacces file AuthUserFile /usr/local/www/default.htaccess
For security reasen we generate separate file. Sure you can use the system login for access but we think you open there a door which you can't get safe.
prodution domain uses an other htaccess file
You can generate/update the user in the htaccess by the command
htpasswd passwdfile username
In our case we type
htpasswd /usr/local/www/default.htaccess myusername
In the vhost we only set the passwdfile parameter
AuthUserFile /usr/local/www/default.htaccess
We hope we could help you
Similar to Domain specific htpasswd conditions.
Look at the IfDefine directive for Apache. It lets you define a variable on your production and/or development platform with which you can filter your apache commants. See this link for an example: http://cweiske.de/tagebuch/relative-htpasswd-path.htm.
Every time I try to go to Art School on Home Page and put it the correct username/password I get a server error. Yes this is homework, and yes it is my first time doing anything related to this type of setup so any help would be appreciated. All the various instructions that I found listed this as the correct way so I'm sort of stuck.
.htpasswd file(/afs/asu.edu/users/r/l/p/rlpeck/pwd/.htpasswd):
Alice:$apr1$sgDEa/..$FBtlSGHkbPHmlW80Sj2Sx1
Bob:$apr1$V8LLa/..$iX.YVKHoDfKyTKEMvuX.g/
Chris:$apr1$XuHOa/..$o6bf/JyA1otkH0jor4n5c/
Dave:$apr1$hpjQa/..$u3/D.f0xdN23Flg35qp9g.
Eve:$apr1$JIGSa/..$uTs55qYH1.gtDV7WZ0X7q0
.htaccess file(/afs/asu.edu/users/r/l/p/rlpeck/www/CSE465a):
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /afs/asu.edu/users/r/l/p/rlpeck/pwd/.htpasswd
AuthGroupFile /dev/null
Require valid-user
When I do run locate -r error.log all I get are these:
/opt/tivoli/tsm/client/ba/bin/dsmerror.log
/usr/share/doc/cups-1.2.4/de/images/button-view-error-log.gif
/usr/share/doc/cups-1.2.4/es/images/button-view-error-log.gif
/usr/share/doc/cups-1.2.4/help/ref-error_log.html
/usr/share/doc/cups-1.2.4/images/button-view-error-log.gif
/usr/share/doc/cups-1.2.4/ja/images/button-view-error-log.gif
/usr/share/doc/cups-1.2.4/pl/images/button-view-error-log.gif
/usr/share/doc/cups-1.2.4/sv/images/button-view-error-log.gif
/var/log/cups/error_log
/var/log/cups/error_log.1
/var/log/cups/error_log.2
Edit: Response from help desk:
If you were testing the security of your page, you passed. I dont see an error
Is the .htaccess file being saved on the server using UNIX line endings? If you are saving it on a Windows computer, that is likely a problem. If you use FTP, you can transfer in ASCII mode. Otherwise, get a good text editor like Notepad++ (http://notepad-plus-plus.org/) and set UNIX format under Edit → EOL Conversion → UNIX Format.
Is the AuthUserFile pathname correct? It should be the pathname that the web server computer sees, which might not be the pathname you see. You were probably logged in to a different server than the web server when you ran the locate command; the AFS network filesystem allows both servers to see your files but not necessarily at the same path on both.
Does the web server have permission to read the .htpasswd file? Try putting it in the same directory as the .htaccess file and update the pathname in .htaccess accordingly. Of course, it depends on the server configuration whether or not the server will prevent someone from looking at the list of valid passwords that way, so you may need to figure out what AFS commands you need to use to grant such permission.