| Author |
.htaccess password protection does not work
|
|
| Matthias Pospiech 2005-03-17, 3:44 am |
| I use .htaccess in my www root already for mod_rewrite. So inprinciple
htaccess file work.
Now I want to set up password protection.
My .htaccess file is:
>AuthType Basic
>AuthName "Password Required"
>AuthUserFile /home/matthias/www/matthias/pwd/users
>AuthGroupFile /dev/null
>Require user photos
with an file users that exists and was created using htpasswd.
But my problem is, that simple nothing happens. Nothing in the browser,
nothing in my logfiles.
What is wrong ?
What information do you need to check ?
Matthias
--
www.matthiaspospiech.de
| |
| Davide Bianchi 2005-03-17, 3:44 am |
| On 2005-03-16, Matthias Pospiech <matthiasPUNKTpospiech@gmx.de> wrote:
> I use .htaccess in my www root already for mod_rewrite. So inprinciple
> htaccess file work.
Check which "AllowOverride" directive is in the <Directory > block
in the httpd.conf that refer to that directory or the parent's.
[vbcol=seagreen]
Is bad practice to put the password file in a directory that is inside
the DocumentRoot tree.
Davide
--
NASA uses Windows? Oh great. If Apollo 13 went off course today the manual
would just tell them to open the airlock, flush the astronauts out, and
re-install new ones. --Kibo
| |
| Mxsmanic 2005-03-17, 3:44 am |
| Matthias Pospiech writes:
> I use .htaccess in my www root already for mod_rewrite. So inprinciple
> htaccess file work.
>
> Now I want to set up password protection.
> My .htaccess file is:
>
> with an file users that exists and was created using htpasswd.
>
> But my problem is, that simple nothing happens. Nothing in the browser,
> nothing in my logfiles.
> What is wrong ?
> What information do you need to check ?
..htaccess must be the name of your access file (this is the default, so
I assume it's correct).
The file /home/matthias/www/matthias/pwd/users must contain a list of
users with passwords encrypted by htpasswd. Are you sure the pathname
is correct?
"Require user photos" means "look up a user called 'photos' in the user
file." So there must be a user by that name in the user file, with a
valid password. The group file is ignored; you don't need to put
/dev/null for the group file.
--
Transpose hotmail and mxsmanic in my e-mail address to reach me directly.
| |
| Mxsmanic 2005-03-17, 6:00 pm |
| Davide Bianchi writes:
> When I see AuthUserFile /home/matthias/www/matthias/pwd/users
> that 'www' make me think that is under the control of Apache.
Possible, but not required. My /www directory points to Apache stuff,
but it's not DocumentRoot, which is actually /www/htdocs. I put the
authorization files in /www/conf, which is external to DocumentRoot.
--
Transpose hotmail and mxsmanic in my e-mail address to reach me directly.
| |
| Mxsmanic 2005-03-17, 6:00 pm |
| Matthias Pospiech writes:
> You mean: AccessFileName .htaccess
Yes, although .htaccess is already the default (so unless you've changed
it, no problem).
> Options -All -Multiviews
Remove the hypens.
> [Thu Mar 17 07:48:10 2005] [notice] Digest: generating secret for digest
> authentication ...
> [Thu Mar 17 07:48:10 2005] [notice] Digest: done
Digest authentication? It doesn't sound like you're using Basic
authentication.
> 127.0.0.1] /home/matthias/www/matthias/.htaccess: RewriteEngine not allowed
> here ...
You have Rewrite directives in your .htaccess file??
> [Wed Mar 16 22:48:38 2005] [notice] Apache-AdvancedExtranetServer/2.0.50
What is "Apache-AdvancedExtranetServer"?
--
Transpose hotmail and mxsmanic in my e-mail address to reach me directly.
| |
| Matthias Pospiech 2005-03-18, 2:48 am |
| Mxsmanic wrote:
> Matthias Pospiech writes:
>
>
> Yes, although .htaccess is already the default (so unless you've changed
> it, no problem).
>
>
> Remove the hypens.
Ok, but apache never complained.
>
>
> Digest authentication? It doesn't sound like you're using Basic
> authentication.
I have not the slightest idea!
For what should I search in the conf file for this ?
>
> You have Rewrite directives in your .htaccess file??
I use mod_rewrite in .htaccess in the root directory of the webpage.
It contents:
------------------
RewriteEngine on
RewriteRule ^stats/.*$ - [L]
RewriteRule ^admin/.*$ - [L]
RewriteRule ^myphpadmin/.*$ - [L]
RewriteRule ^download/.*$ - [L]
RewriteRule ^logfiles/.*$ - [L]
RewriteRule !\.(gif|jpg|png|css|php|pdf|zip)$ index.php
------------------
>
> What is "Apache-AdvancedExtranetServer"?
>
My installation is Mandrake 10.1 with the apache2 that is shipped with it.
No idea why they called it this.
If you want I can post the complete httpd.conf file. It does not matter in
terms of security because its only my personal server for testing webpages.
Matthias
--
www.matthiaspospiech.de
| |
| Matthias Pospiech 2005-03-18, 2:48 am |
| Mxsmanic wrote:
> Matthias Pospiech writes:
>
> Digest authentication? It doesn't sound like you're using Basic
> authentication.
Mybe because of:
LoadModule auth_digest_module modules/mod_auth_digest.so
though I have no idea what it does...
Matthias
--
www.matthiaspospiech.de
| |
| Mxsmanic 2005-03-19, 2:48 am |
| Matthias Pospiech writes:
> As I said in my new post, the same (no)effect happens on the public server,
> where I am not responsible for the apache.
> Therefore I would like to know whether what I do is possible in the way that
> I create the website anyway!
If you sniff the traffic between your browser and your server when you
try to access a protected area, what do you see? And what messages or
dialog boxes does the browser bring up (if any)?
--
Transpose hotmail and mxsmanic in my e-mail address to reach me directly.
| |
| Mxsmanic 2005-03-19, 7:47 am |
| Matthias Pospiech writes:
> How shall I do that ?
You need a program that can snap what's going over the wire, like Netmon
on Windows or tcpdump on UNIX.
--
Transpose hotmail and mxsmanic in my e-mail address to reach me directly.
|
|
|
|