Solved

500 internal server error after setting .htaccess and .htpasswd

Posted on 2002-06-08
11
8,523 Views
Last Modified: 2012-06-27
Hi experts,

I got "500 internal server error" after configuring files .htaccess and .htpasswd in my directory on a site from which i have some space to put my stuff.

The site displays the following:
"Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, blahblah(my email address on that site) and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log."



And followed is the site's instruction on how to PASSWORD PROTECT directories:
yes you can. you can create usernames and passwrods for directories using the 'htpasswd' command.

step 1: create a file called '.htaccess' in the directory you want to protect
AuthUserFILE /path/to/my/directory/.htpasswd
AuthGroupFILE /dev/null
AuthNAME "my protected files"
AuthTYPE Basic
require valid-user
<limit GET POST PUT>
order allow,deny
allow from all
</limit>

Step2: run the 'htpasswd' command, for the first time:
htpasswd -c .htpasswd myuser1
you will be prompted to enter a password for the new user. After theis first user is created, you can then add additional users with:
htpasswd .htpasswd myuser2

next, reference your site with a ~ style URL, for instance: http://blahblah.org/~username and NOT http://username.blahblah.org



OK back to the problem i have.

I strictly followed these steps but still get the "500 internal server" error. I guess there must be something wrong with my configuration about .htaccess and .htpasswd...... if i removed these two files, everything's fine.

I don't think this is a very difficult problem to solve, but i just couldn't figure it out. Can someone out there give me a hand?
KEN

0
Comment
Question by:ken021600
  • 7
  • 4
11 Comments
 
LVL 15

Expert Comment

by:samri
Comment Utility
ken,

First thing to look is the server log, specifically the error_log file.  


Try adding the following line;
"AuthAuthoritative  On"

So you .htaccess would look like;
----.htaccesss

AuthUserFILE /path/to/my/directory/.htpasswd
AuthGroupFILE /dev/null
AuthNAME "my protected files"
AuthTYPE Basic
"AuthAuthoritative  On"

require valid-user
<limit GET POST PUT>
order allow,deny
allow from all
</limit>
-----------


Next, try removing (commenting out, the;  (I personally think that there is no problem with this directive)).

<limit GET POST PUT>
order allow,deny
allow from all
</limit>

Some links that you might want to take a peek;

http://httpd.apache.org/docs/howto/auth.html
http://httpd.apache.org/docs/misc/FAQ.html

Specific FAQ that might be related.
http://httpd.apache.org/docs/misc/FAQ.html#authauthoritative
0
 
LVL 15

Expert Comment

by:samri
Comment Utility
Ken,

apology,

you need to remove the quote ("),

AuthUserFILE /path/to/my/directory/.htpasswd
AuthGroupFILE /dev/null
AuthNAME "my protected files"
AuthTYPE Basic
AuthAuthoritative  On

require valid-user
<limit GET POST PUT>
order allow,deny
allow from all
</limit>
0
 

Author Comment

by:ken021600
Comment Utility
Hi Samri,

Nice to see you again! (I had a feeling that you'd "jump out" and give me a hand :))

Well, i've figured it out. the line "order allow,deny" should be--->order 'allow,deny', coz order takes only one parameter.

anyway, you pointed out "AuthAuthoritative On", without which the authentication won't work. so i'll give you my points.

by the way, do you want to take a look at another question i posted? I'm not happy with the answers i got...
http://www.experts-exchange.com/jsp/qManageQuestion.jsp?ta=linux&qid=20308503

Thanks,
KEN
0
 
LVL 15

Expert Comment

by:samri
Comment Utility
ken,

the Order directive looks ok, and should not have any quote around it.  If it works with ' (single quote), I'm really not sure.  

First try to leave the Order allow,deny untouch, and just add the "AuthAuthoritative On".  That alone (i believe) should get the authentication goes thru.

Back to the other Q.
 I am pretty much agree with psimation's. on the definition.

cheers.
0
 

Author Comment

by:ken021600
Comment Utility
K.

before finalizing this thread, just 2 very quick questions to ask:

1) it came to my attention that the mode setting of .htaccess and .htpasswd is important in terms of authentication. i just don't understand the mode for .htpasswd should be 744... i think the .htaccess file will get username and password from the browser and it will compare them with that in the .htpasswd file. so i think this is all done on the server side. why should we give all others the "r" bit? i tried to set it 700, but the password authentication just wouldn't work.

2) this is a little bit off the topic. but since this is a quick question, i would guess that you won't mind...
i downloaded the gpg package for windows and decompressed it. under DOS, i punched in "gpg" and i was told:
gpg:  c:/gnupg/secring.gpg:  keyring created
gpg:  c:/gnupg/pubring.gpg:  keyring created
gpg: go ahead and type your message...

i gave some keystrokes to my keyboard, thinking this is because gpg need some random number. but it just didn't give me any output! i typed for a long time and nothing happened! i had a look at files secring.gpg and pubring.gpg---they have 0 bytes.

so what's going on? how much should i type? or maybe i did it the wrong way?

Thanks,
KEN
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:ken021600
Comment Utility
sorry i forgot to put the following down:

if the files .htpasswd has to be set 744, then other users on the system could read it. and by copying the content of it and doing some algorithm tricks, they could figure out what the password is... is this a security issue?

Thanks,
KEN
0
 
LVL 15

Expert Comment

by:samri
Comment Utility
Ken,

On the permission issue;  Remember that the webserver itself is running as a "user" on the system, and bearing that in mind, it has to somehow get proper access to the file.  Permission 744 (rwxr--r--), will give the creator - full access, group - read, and others - read.   It is closely related to who created the files at the first place.  In most cases, people tend to login as root (or su to root) for managig such files, and that is where the complication begins.  The permission 744 is needed since apache is running as apache, and the file is owned by root.

Consider the following two files;
-rwxr--r--         root   root   .htpasswd
-r-x------         apache apache .htpasswd1

File one has 744 permission

and for the second parts; you could create the file and changes ownership to allow only user apache, and/or group=apache to access the file to ensure that other users on the system does not have access to it.

Another approach is to create a separate folder just to store the passwd, and protect that folder.  One quick way to do is;

Create a folder, and give only 500 permission, and change the ownership to apache/apache (or whatever uid apache would be running).

gpg - hmm.. i never tried that.  should anything good comes up, I 'll post it here.

cheers.
0
 
LVL 15

Expert Comment

by:samri
Comment Utility
ken,

tried gpg the other day, got the same problem.  try again.  Yeah... something look goods..

You could get some help by doing "gpg --help".

Briefly,

1. You need to generate the key first; Do a "gpg --gen-key".  Answer a few question, and try "gpg --list-keys".  At the point, you will have something

2. Sign the file; "gpg --sign <file>", the output fill be "file.gpg";  Tht output file looks ecrypted.

Still woking on decrypting it. :(

This is as far as I got at the moment.



0
 
LVL 15

Expert Comment

by:samri
Comment Utility
ken,

gpg --decyrpt file.gpg > outfile.txt would reverse the enc.

The question now is; I doesn't event know where is the PGP signature.
0
 
LVL 15

Accepted Solution

by:
samri earned 50 total points
Comment Utility
ken,

the README.W32, and FAQ is very informative.  I would recoomend you to take a look (as I am reading it now).

cheers.
0
 

Author Comment

by:ken021600
Comment Utility
Thanks samri!

I appreciate your explanation to the mode-setting bit. As to  gpg under windows, don't worry about it. i'll take a look at the FAQ and README.WIN32...

see you next time,
KEN
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

If you are running a LAMP infrastructure, this little code snippet is very helpful if you are serving lots of HTML, JavaScript and CSS-related information. The mod_deflate module, which is part of the Apache 2.2 application, provides the DEFLATE…
If you've heard about htaccess and it sounds like it does what you want, but you're not sure how it works... well, you're in the right place. Read on. Some Basics #1. It's a file and its filename is .htaccess (yes, with a dot in the front). #…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now