Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 8903
  • Last Modified:

500 internal server error after setting .htaccess and .htpasswd

Hi experts,

I got "500 internal server error" after configuring files .htaccess and .htpasswd in my directory on a site from which i have some space to put my stuff.

The site displays the following:
"Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, blahblah(my email address on that site) and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log."



And followed is the site's instruction on how to PASSWORD PROTECT directories:
yes you can. you can create usernames and passwrods for directories using the 'htpasswd' command.

step 1: create a file called '.htaccess' in the directory you want to protect
AuthUserFILE /path/to/my/directory/.htpasswd
AuthGroupFILE /dev/null
AuthNAME "my protected files"
AuthTYPE Basic
require valid-user
<limit GET POST PUT>
order allow,deny
allow from all
</limit>

Step2: run the 'htpasswd' command, for the first time:
htpasswd -c .htpasswd myuser1
you will be prompted to enter a password for the new user. After theis first user is created, you can then add additional users with:
htpasswd .htpasswd myuser2

next, reference your site with a ~ style URL, for instance: http://blahblah.org/~username and NOT http://username.blahblah.org



OK back to the problem i have.

I strictly followed these steps but still get the "500 internal server" error. I guess there must be something wrong with my configuration about .htaccess and .htpasswd...... if i removed these two files, everything's fine.

I don't think this is a very difficult problem to solve, but i just couldn't figure it out. Can someone out there give me a hand?
KEN

0
ken021600
Asked:
ken021600
  • 7
  • 4
1 Solution
 
samriCommented:
ken,

First thing to look is the server log, specifically the error_log file.  


Try adding the following line;
"AuthAuthoritative  On"

So you .htaccess would look like;
----.htaccesss

AuthUserFILE /path/to/my/directory/.htpasswd
AuthGroupFILE /dev/null
AuthNAME "my protected files"
AuthTYPE Basic
"AuthAuthoritative  On"

require valid-user
<limit GET POST PUT>
order allow,deny
allow from all
</limit>
-----------


Next, try removing (commenting out, the;  (I personally think that there is no problem with this directive)).

<limit GET POST PUT>
order allow,deny
allow from all
</limit>

Some links that you might want to take a peek;

http://httpd.apache.org/docs/howto/auth.html
http://httpd.apache.org/docs/misc/FAQ.html

Specific FAQ that might be related.
http://httpd.apache.org/docs/misc/FAQ.html#authauthoritative
0
 
samriCommented:
Ken,

apology,

you need to remove the quote ("),

AuthUserFILE /path/to/my/directory/.htpasswd
AuthGroupFILE /dev/null
AuthNAME "my protected files"
AuthTYPE Basic
AuthAuthoritative  On

require valid-user
<limit GET POST PUT>
order allow,deny
allow from all
</limit>
0
 
ken021600Author Commented:
Hi Samri,

Nice to see you again! (I had a feeling that you'd "jump out" and give me a hand :))

Well, i've figured it out. the line "order allow,deny" should be--->order 'allow,deny', coz order takes only one parameter.

anyway, you pointed out "AuthAuthoritative On", without which the authentication won't work. so i'll give you my points.

by the way, do you want to take a look at another question i posted? I'm not happy with the answers i got...
http://www.experts-exchange.com/jsp/qManageQuestion.jsp?ta=linux&qid=20308503

Thanks,
KEN
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
samriCommented:
ken,

the Order directive looks ok, and should not have any quote around it.  If it works with ' (single quote), I'm really not sure.  

First try to leave the Order allow,deny untouch, and just add the "AuthAuthoritative On".  That alone (i believe) should get the authentication goes thru.

Back to the other Q.
 I am pretty much agree with psimation's. on the definition.

cheers.
0
 
ken021600Author Commented:
K.

before finalizing this thread, just 2 very quick questions to ask:

1) it came to my attention that the mode setting of .htaccess and .htpasswd is important in terms of authentication. i just don't understand the mode for .htpasswd should be 744... i think the .htaccess file will get username and password from the browser and it will compare them with that in the .htpasswd file. so i think this is all done on the server side. why should we give all others the "r" bit? i tried to set it 700, but the password authentication just wouldn't work.

2) this is a little bit off the topic. but since this is a quick question, i would guess that you won't mind...
i downloaded the gpg package for windows and decompressed it. under DOS, i punched in "gpg" and i was told:
gpg:  c:/gnupg/secring.gpg:  keyring created
gpg:  c:/gnupg/pubring.gpg:  keyring created
gpg: go ahead and type your message...

i gave some keystrokes to my keyboard, thinking this is because gpg need some random number. but it just didn't give me any output! i typed for a long time and nothing happened! i had a look at files secring.gpg and pubring.gpg---they have 0 bytes.

so what's going on? how much should i type? or maybe i did it the wrong way?

Thanks,
KEN
0
 
ken021600Author Commented:
sorry i forgot to put the following down:

if the files .htpasswd has to be set 744, then other users on the system could read it. and by copying the content of it and doing some algorithm tricks, they could figure out what the password is... is this a security issue?

Thanks,
KEN
0
 
samriCommented:
Ken,

On the permission issue;  Remember that the webserver itself is running as a "user" on the system, and bearing that in mind, it has to somehow get proper access to the file.  Permission 744 (rwxr--r--), will give the creator - full access, group - read, and others - read.   It is closely related to who created the files at the first place.  In most cases, people tend to login as root (or su to root) for managig such files, and that is where the complication begins.  The permission 744 is needed since apache is running as apache, and the file is owned by root.

Consider the following two files;
-rwxr--r--         root   root   .htpasswd
-r-x------         apache apache .htpasswd1

File one has 744 permission

and for the second parts; you could create the file and changes ownership to allow only user apache, and/or group=apache to access the file to ensure that other users on the system does not have access to it.

Another approach is to create a separate folder just to store the passwd, and protect that folder.  One quick way to do is;

Create a folder, and give only 500 permission, and change the ownership to apache/apache (or whatever uid apache would be running).

gpg - hmm.. i never tried that.  should anything good comes up, I 'll post it here.

cheers.
0
 
samriCommented:
ken,

tried gpg the other day, got the same problem.  try again.  Yeah... something look goods..

You could get some help by doing "gpg --help".

Briefly,

1. You need to generate the key first; Do a "gpg --gen-key".  Answer a few question, and try "gpg --list-keys".  At the point, you will have something

2. Sign the file; "gpg --sign <file>", the output fill be "file.gpg";  Tht output file looks ecrypted.

Still woking on decrypting it. :(

This is as far as I got at the moment.



0
 
samriCommented:
ken,

gpg --decyrpt file.gpg > outfile.txt would reverse the enc.

The question now is; I doesn't event know where is the PGP signature.
0
 
samriCommented:
ken,

the README.W32, and FAQ is very informative.  I would recoomend you to take a look (as I am reading it now).

cheers.
0
 
ken021600Author Commented:
Thanks samri!

I appreciate your explanation to the mode-setting bit. As to  gpg under windows, don't worry about it. i'll take a look at the FAQ and README.WIN32...

see you next time,
KEN
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

  • 7
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now