• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 599
  • Last Modified:

Root directory protected via basic auth, thus 401 error document can't be displayed

In my httpd.conf file, under one of my virtual hosts, I have the / directory password protected using http basic auth. If a user doesn't enter a valid username/password combo, I would like to display a custom error document to them, telling them to signup to my site. Unfortunately when using "ErrorDocument 401 /noaccess.html" the noaccess.html (according to my error.log file) must be a file accessible via the current virtual host.

Since the / directory is protected, and /noaccess.html is within that directory it is also protected and I just receive Apache's standard 401 error, with an additional message on the bottom saying the 401 page is also returning 401.

Here is the (relevant) config:

<Virtualhost my.hostname.com>
   <Location />
      PerlAuthenHandler Apache::SecureCheck
       AuthType Basic
       AuthName MyDomain
      require valid-user
   <Location /noaccess.html>
        allow from all
   ErrorDocument 401 /noaccess.html

I have shuffled around the order of the two <Location> blocks and the Error 401 tag, with no luck.

Also, if possible, i'd like to have noaccess.html located on a different virtual host, or even in a non-web accessible directory. Currently I am hoping to accomplish this via

Alias /noaccess.html /home/me/noaccess.html

However, I have tried removing the alias command, and using an actual file with no luck displaying the noaccess.html file.

4 Solutions
Put the following .htaccess file:

ErrorDocument 401  /noaccess.html

also have a look at the answer in:
or you can defined it in your main server config file httpd.conf:

ErrorDocument 401 /Subscription/how_to_subscribe.html

For more details:
Tutorial + error codes:
I think what he's saying, yuzh, is that he's password protected the entire site - they can't get the 403 or 401 page without entering a name and password.

I would suggest putting the entire site in a password protected subdirectory, and only have the 401, 404, and 403 documents in the root directory...
i am not sure, but put a files directive in your conf file,

<files your4040file.html>
order allow, deny
allow from all
satisfy any

I haven't tried it, but this should do the trick. I am not sure in which order the authorization works, so maybe you will have to put your error files in a subdirecotry and use directory directives, like

<directory directory_for_error_files>
order allow, deny
allow from all
satisfy any
GeG 100% correct.

allow from all  <--- Would normally grant access
satisfy any

The "satisfy any" is the piece that tells apache that you will accept the previous require "user, group, etc." or you will accept based on mod_access.  This is a configuration that I have on a few sites.

Suggestion is that if you have more than one custom error document then you might consider putting them in a directory and using the one of the directory configurations (directory, location, etc.) or name the files similar where you can do a filesmatch.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now