Solved

500 internal server error after setting .htaccess and .htpasswd

Posted on 2002-06-08
11
8,540 Views
Last Modified: 2012-06-27
Hi experts,

I got "500 internal server error" after configuring files .htaccess and .htpasswd in my directory on a site from which i have some space to put my stuff.

The site displays the following:
"Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, blahblah(my email address on that site) and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log."



And followed is the site's instruction on how to PASSWORD PROTECT directories:
yes you can. you can create usernames and passwrods for directories using the 'htpasswd' command.

step 1: create a file called '.htaccess' in the directory you want to protect
AuthUserFILE /path/to/my/directory/.htpasswd
AuthGroupFILE /dev/null
AuthNAME "my protected files"
AuthTYPE Basic
require valid-user
<limit GET POST PUT>
order allow,deny
allow from all
</limit>

Step2: run the 'htpasswd' command, for the first time:
htpasswd -c .htpasswd myuser1
you will be prompted to enter a password for the new user. After theis first user is created, you can then add additional users with:
htpasswd .htpasswd myuser2

next, reference your site with a ~ style URL, for instance: http://blahblah.org/~username and NOT http://username.blahblah.org



OK back to the problem i have.

I strictly followed these steps but still get the "500 internal server" error. I guess there must be something wrong with my configuration about .htaccess and .htpasswd...... if i removed these two files, everything's fine.

I don't think this is a very difficult problem to solve, but i just couldn't figure it out. Can someone out there give me a hand?
KEN

0
Comment
Question by:ken021600
  • 7
  • 4
11 Comments
 
LVL 15

Expert Comment

by:samri
ID: 7065224
ken,

First thing to look is the server log, specifically the error_log file.  


Try adding the following line;
"AuthAuthoritative  On"

So you .htaccess would look like;
----.htaccesss

AuthUserFILE /path/to/my/directory/.htpasswd
AuthGroupFILE /dev/null
AuthNAME "my protected files"
AuthTYPE Basic
"AuthAuthoritative  On"

require valid-user
<limit GET POST PUT>
order allow,deny
allow from all
</limit>
-----------


Next, try removing (commenting out, the;  (I personally think that there is no problem with this directive)).

<limit GET POST PUT>
order allow,deny
allow from all
</limit>

Some links that you might want to take a peek;

http://httpd.apache.org/docs/howto/auth.html
http://httpd.apache.org/docs/misc/FAQ.html

Specific FAQ that might be related.
http://httpd.apache.org/docs/misc/FAQ.html#authauthoritative
0
 
LVL 15

Expert Comment

by:samri
ID: 7065227
Ken,

apology,

you need to remove the quote ("),

AuthUserFILE /path/to/my/directory/.htpasswd
AuthGroupFILE /dev/null
AuthNAME "my protected files"
AuthTYPE Basic
AuthAuthoritative  On

require valid-user
<limit GET POST PUT>
order allow,deny
allow from all
</limit>
0
 

Author Comment

by:ken021600
ID: 7065951
Hi Samri,

Nice to see you again! (I had a feeling that you'd "jump out" and give me a hand :))

Well, i've figured it out. the line "order allow,deny" should be--->order 'allow,deny', coz order takes only one parameter.

anyway, you pointed out "AuthAuthoritative On", without which the authentication won't work. so i'll give you my points.

by the way, do you want to take a look at another question i posted? I'm not happy with the answers i got...
http://www.experts-exchange.com/jsp/qManageQuestion.jsp?ta=linux&qid=20308503

Thanks,
KEN
0
 
LVL 15

Expert Comment

by:samri
ID: 7066019
ken,

the Order directive looks ok, and should not have any quote around it.  If it works with ' (single quote), I'm really not sure.  

First try to leave the Order allow,deny untouch, and just add the "AuthAuthoritative On".  That alone (i believe) should get the authentication goes thru.

Back to the other Q.
 I am pretty much agree with psimation's. on the definition.

cheers.
0
 

Author Comment

by:ken021600
ID: 7066079
K.

before finalizing this thread, just 2 very quick questions to ask:

1) it came to my attention that the mode setting of .htaccess and .htpasswd is important in terms of authentication. i just don't understand the mode for .htpasswd should be 744... i think the .htaccess file will get username and password from the browser and it will compare them with that in the .htpasswd file. so i think this is all done on the server side. why should we give all others the "r" bit? i tried to set it 700, but the password authentication just wouldn't work.

2) this is a little bit off the topic. but since this is a quick question, i would guess that you won't mind...
i downloaded the gpg package for windows and decompressed it. under DOS, i punched in "gpg" and i was told:
gpg:  c:/gnupg/secring.gpg:  keyring created
gpg:  c:/gnupg/pubring.gpg:  keyring created
gpg: go ahead and type your message...

i gave some keystrokes to my keyboard, thinking this is because gpg need some random number. but it just didn't give me any output! i typed for a long time and nothing happened! i had a look at files secring.gpg and pubring.gpg---they have 0 bytes.

so what's going on? how much should i type? or maybe i did it the wrong way?

Thanks,
KEN
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:ken021600
ID: 7066090
sorry i forgot to put the following down:

if the files .htpasswd has to be set 744, then other users on the system could read it. and by copying the content of it and doing some algorithm tricks, they could figure out what the password is... is this a security issue?

Thanks,
KEN
0
 
LVL 15

Expert Comment

by:samri
ID: 7066189
Ken,

On the permission issue;  Remember that the webserver itself is running as a "user" on the system, and bearing that in mind, it has to somehow get proper access to the file.  Permission 744 (rwxr--r--), will give the creator - full access, group - read, and others - read.   It is closely related to who created the files at the first place.  In most cases, people tend to login as root (or su to root) for managig such files, and that is where the complication begins.  The permission 744 is needed since apache is running as apache, and the file is owned by root.

Consider the following two files;
-rwxr--r--         root   root   .htpasswd
-r-x------         apache apache .htpasswd1

File one has 744 permission

and for the second parts; you could create the file and changes ownership to allow only user apache, and/or group=apache to access the file to ensure that other users on the system does not have access to it.

Another approach is to create a separate folder just to store the passwd, and protect that folder.  One quick way to do is;

Create a folder, and give only 500 permission, and change the ownership to apache/apache (or whatever uid apache would be running).

gpg - hmm.. i never tried that.  should anything good comes up, I 'll post it here.

cheers.
0
 
LVL 15

Expert Comment

by:samri
ID: 7066200
ken,

tried gpg the other day, got the same problem.  try again.  Yeah... something look goods..

You could get some help by doing "gpg --help".

Briefly,

1. You need to generate the key first; Do a "gpg --gen-key".  Answer a few question, and try "gpg --list-keys".  At the point, you will have something

2. Sign the file; "gpg --sign <file>", the output fill be "file.gpg";  Tht output file looks ecrypted.

Still woking on decrypting it. :(

This is as far as I got at the moment.



0
 
LVL 15

Expert Comment

by:samri
ID: 7066201
ken,

gpg --decyrpt file.gpg > outfile.txt would reverse the enc.

The question now is; I doesn't event know where is the PGP signature.
0
 
LVL 15

Accepted Solution

by:
samri earned 50 total points
ID: 7066211
ken,

the README.W32, and FAQ is very informative.  I would recoomend you to take a look (as I am reading it now).

cheers.
0
 

Author Comment

by:ken021600
ID: 7068659
Thanks samri!

I appreciate your explanation to the mode-setting bit. As to  gpg under windows, don't worry about it. i'll take a look at the FAQ and README.WIN32...

see you next time,
KEN
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now