500 internal server error after setting .htaccess and .htpasswd
Hi experts,
I got "500 internal server error" after configuring files .htaccess and .htpasswd in my directory on a site from which i have some space to put my stuff.
The site displays the following:
"Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, blahblah(my email address on that site) and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log."
And followed is the site's instruction on how to PASSWORD PROTECT directories:
yes you can. you can create usernames and passwrods for directories using the 'htpasswd' command.
step 1: create a file called '.htaccess' in the directory you want to protect
AuthUserFILE /path/to/my/directory/.htp
AuthGroupFILE /dev/null
AuthNAME "my protected files"
AuthTYPE Basic
require valid-user
<limit GET POST PUT>
order allow,deny
allow from all
</limit>
Step2: run the 'htpasswd' command, for the first time:
htpasswd -c .htpasswd myuser1
you will be prompted to enter a password for the new user. After theis first user is created, you can then add additional users with:
htpasswd .htpasswd myuser2
next, reference your site with a ~ style URL, for instance: http://blahblah.org/~username and NOT http://username.blahblah.org
OK back to the problem i have.
I strictly followed these steps but still get the "500 internal server" error. I guess there must be something wrong with my configuration about .htaccess and .htpasswd...... if i removed these two files, everything's fine.
I don't think this is a very difficult problem to solve, but i just couldn't figure it out. Can someone out there give me a hand?
KEN
I got "500 internal server error" after configuring files .htaccess and .htpasswd in my directory on a site from which i have some space to put my stuff.
The site displays the following:
"Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, blahblah(my email address on that site) and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log."
And followed is the site's instruction on how to PASSWORD PROTECT directories:
yes you can. you can create usernames and passwrods for directories using the 'htpasswd' command.
step 1: create a file called '.htaccess' in the directory you want to protect
AuthUserFILE /path/to/my/directory/.htp
AuthGroupFILE /dev/null
AuthNAME "my protected files"
AuthTYPE Basic
require valid-user
<limit GET POST PUT>
order allow,deny
allow from all
</limit>
Step2: run the 'htpasswd' command, for the first time:
htpasswd -c .htpasswd myuser1
you will be prompted to enter a password for the new user. After theis first user is created, you can then add additional users with:
htpasswd .htpasswd myuser2
next, reference your site with a ~ style URL, for instance: http://blahblah.org/~username and NOT http://username.blahblah.org
OK back to the problem i have.
I strictly followed these steps but still get the "500 internal server" error. I guess there must be something wrong with my configuration about .htaccess and .htpasswd...... if i removed these two files, everything's fine.
I don't think this is a very difficult problem to solve, but i just couldn't figure it out. Can someone out there give me a hand?
KEN
Ken,
apology,
you need to remove the quote ("),
AuthUserFILE /path/to/my/directory/.htp
AuthGroupFILE /dev/null
AuthNAME "my protected files"
AuthTYPE Basic
AuthAuthoritative On
require valid-user
<limit GET POST PUT>
order allow,deny
allow from all
</limit>
apology,
you need to remove the quote ("),
AuthUserFILE /path/to/my/directory/.htp
AuthGroupFILE /dev/null
AuthNAME "my protected files"
AuthTYPE Basic
AuthAuthoritative On
require valid-user
<limit GET POST PUT>
order allow,deny
allow from all
</limit>
ASKER
Hi Samri,
Nice to see you again! (I had a feeling that you'd "jump out" and give me a hand :))
Well, i've figured it out. the line "order allow,deny" should be--->order 'allow,deny', coz order takes only one parameter.
anyway, you pointed out "AuthAuthoritative On", without which the authentication won't work. so i'll give you my points.
by the way, do you want to take a look at another question i posted? I'm not happy with the answers i got...
https://www.experts-exchange.com/jsp/qManageQuestion.jsp?ta=linux&qid=20308503
Thanks,
KEN
Nice to see you again! (I had a feeling that you'd "jump out" and give me a hand :))
Well, i've figured it out. the line "order allow,deny" should be--->order 'allow,deny', coz order takes only one parameter.
anyway, you pointed out "AuthAuthoritative On", without which the authentication won't work. so i'll give you my points.
by the way, do you want to take a look at another question i posted? I'm not happy with the answers i got...
https://www.experts-exchange.com/jsp/qManageQuestion.jsp?ta=linux&qid=20308503
Thanks,
KEN
ken,
the Order directive looks ok, and should not have any quote around it. If it works with ' (single quote), I'm really not sure.
First try to leave the Order allow,deny untouch, and just add the "AuthAuthoritative On". That alone (i believe) should get the authentication goes thru.
Back to the other Q.
I am pretty much agree with psimation's. on the definition.
cheers.
the Order directive looks ok, and should not have any quote around it. If it works with ' (single quote), I'm really not sure.
First try to leave the Order allow,deny untouch, and just add the "AuthAuthoritative On". That alone (i believe) should get the authentication goes thru.
Back to the other Q.
I am pretty much agree with psimation's. on the definition.
cheers.
ASKER
K.
before finalizing this thread, just 2 very quick questions to ask:
1) it came to my attention that the mode setting of .htaccess and .htpasswd is important in terms of authentication. i just don't understand the mode for .htpasswd should be 744... i think the .htaccess file will get username and password from the browser and it will compare them with that in the .htpasswd file. so i think this is all done on the server side. why should we give all others the "r" bit? i tried to set it 700, but the password authentication just wouldn't work.
2) this is a little bit off the topic. but since this is a quick question, i would guess that you won't mind...
i downloaded the gpg package for windows and decompressed it. under DOS, i punched in "gpg" and i was told:
gpg: c:/gnupg/secring.gpg: keyring created
gpg: c:/gnupg/pubring.gpg: keyring created
gpg: go ahead and type your message...
i gave some keystrokes to my keyboard, thinking this is because gpg need some random number. but it just didn't give me any output! i typed for a long time and nothing happened! i had a look at files secring.gpg and pubring.gpg---they have 0 bytes.
so what's going on? how much should i type? or maybe i did it the wrong way?
Thanks,
KEN
before finalizing this thread, just 2 very quick questions to ask:
1) it came to my attention that the mode setting of .htaccess and .htpasswd is important in terms of authentication. i just don't understand the mode for .htpasswd should be 744... i think the .htaccess file will get username and password from the browser and it will compare them with that in the .htpasswd file. so i think this is all done on the server side. why should we give all others the "r" bit? i tried to set it 700, but the password authentication just wouldn't work.
2) this is a little bit off the topic. but since this is a quick question, i would guess that you won't mind...
i downloaded the gpg package for windows and decompressed it. under DOS, i punched in "gpg" and i was told:
gpg: c:/gnupg/secring.gpg: keyring created
gpg: c:/gnupg/pubring.gpg: keyring created
gpg: go ahead and type your message...
i gave some keystrokes to my keyboard, thinking this is because gpg need some random number. but it just didn't give me any output! i typed for a long time and nothing happened! i had a look at files secring.gpg and pubring.gpg---they have 0 bytes.
so what's going on? how much should i type? or maybe i did it the wrong way?
Thanks,
KEN
ASKER
sorry i forgot to put the following down:
if the files .htpasswd has to be set 744, then other users on the system could read it. and by copying the content of it and doing some algorithm tricks, they could figure out what the password is... is this a security issue?
Thanks,
KEN
if the files .htpasswd has to be set 744, then other users on the system could read it. and by copying the content of it and doing some algorithm tricks, they could figure out what the password is... is this a security issue?
Thanks,
KEN
Ken,
On the permission issue; Remember that the webserver itself is running as a "user" on the system, and bearing that in mind, it has to somehow get proper access to the file. Permission 744 (rwxr--r--), will give the creator - full access, group - read, and others - read. It is closely related to who created the files at the first place. In most cases, people tend to login as root (or su to root) for managig such files, and that is where the complication begins. The permission 744 is needed since apache is running as apache, and the file is owned by root.
Consider the following two files;
-rwxr--r-- root root .htpasswd
-r-x------ apache apache .htpasswd1
File one has 744 permission
and for the second parts; you could create the file and changes ownership to allow only user apache, and/or group=apache to access the file to ensure that other users on the system does not have access to it.
Another approach is to create a separate folder just to store the passwd, and protect that folder. One quick way to do is;
Create a folder, and give only 500 permission, and change the ownership to apache/apache (or whatever uid apache would be running).
gpg - hmm.. i never tried that. should anything good comes up, I 'll post it here.
cheers.
On the permission issue; Remember that the webserver itself is running as a "user" on the system, and bearing that in mind, it has to somehow get proper access to the file. Permission 744 (rwxr--r--), will give the creator - full access, group - read, and others - read. It is closely related to who created the files at the first place. In most cases, people tend to login as root (or su to root) for managig such files, and that is where the complication begins. The permission 744 is needed since apache is running as apache, and the file is owned by root.
Consider the following two files;
-rwxr--r-- root root .htpasswd
-r-x------ apache apache .htpasswd1
File one has 744 permission
and for the second parts; you could create the file and changes ownership to allow only user apache, and/or group=apache to access the file to ensure that other users on the system does not have access to it.
Another approach is to create a separate folder just to store the passwd, and protect that folder. One quick way to do is;
Create a folder, and give only 500 permission, and change the ownership to apache/apache (or whatever uid apache would be running).
gpg - hmm.. i never tried that. should anything good comes up, I 'll post it here.
cheers.
ken,
tried gpg the other day, got the same problem. try again. Yeah... something look goods..
You could get some help by doing "gpg --help".
Briefly,
1. You need to generate the key first; Do a "gpg --gen-key". Answer a few question, and try "gpg --list-keys". At the point, you will have something
2. Sign the file; "gpg --sign <file>", the output fill be "file.gpg"; Tht output file looks ecrypted.
Still woking on decrypting it. :(
This is as far as I got at the moment.
tried gpg the other day, got the same problem. try again. Yeah... something look goods..
You could get some help by doing "gpg --help".
Briefly,
1. You need to generate the key first; Do a "gpg --gen-key". Answer a few question, and try "gpg --list-keys". At the point, you will have something
2. Sign the file; "gpg --sign <file>", the output fill be "file.gpg"; Tht output file looks ecrypted.
Still woking on decrypting it. :(
This is as far as I got at the moment.
ken,
gpg --decyrpt file.gpg > outfile.txt would reverse the enc.
The question now is; I doesn't event know where is the PGP signature.
gpg --decyrpt file.gpg > outfile.txt would reverse the enc.
The question now is; I doesn't event know where is the PGP signature.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks samri!
I appreciate your explanation to the mode-setting bit. As to gpg under windows, don't worry about it. i'll take a look at the FAQ and README.WIN32...
see you next time,
KEN
I appreciate your explanation to the mode-setting bit. As to gpg under windows, don't worry about it. i'll take a look at the FAQ and README.WIN32...
see you next time,
KEN
First thing to look is the server log, specifically the error_log file.
Try adding the following line;
"AuthAuthoritative On"
So you .htaccess would look like;
----.htaccesss
AuthUserFILE /path/to/my/directory/.htp
AuthGroupFILE /dev/null
AuthNAME "my protected files"
AuthTYPE Basic
"AuthAuthoritative On"
require valid-user
<limit GET POST PUT>
order allow,deny
allow from all
</limit>
-----------
Next, try removing (commenting out, the; (I personally think that there is no problem with this directive)).
<limit GET POST PUT>
order allow,deny
allow from all
</limit>
Some links that you might want to take a peek;
http://httpd.apache.org/docs/howto/auth.html
http://httpd.apache.org/docs/misc/FAQ.html
Specific FAQ that might be related.
http://httpd.apache.org/docs/misc/FAQ.html#authauthoritative