Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

.htaccess results in 404 error....

Posted on 2008-10-02
14
Medium Priority
?
491 Views
Last Modified: 2011-10-03
Probably glaringly obvious but I just can't seem to see it and it's been driving me nuts!

Trying to password protect a webserver directory with .htaccess/.htpasswd combination following a move to a new server.  As soon as the .htaccess file is present I get a 404 error.  Remove or rename the .htaccess and I can view the site.....

I have created the .htaccess and generated the .htpasswd file.

The .htaccess looks like this:

DirectoryIndex index.php
AuthType Basic
AuthName "Administration Page - Please Log In"
AuthUserFile /home/ruralcon/.htpasswd
<limit GET PUT POST>
require valid-user
</limit>

The working directory of the .htpasswd is /home/ruralcon

What am I doing wrong??  Any help would be massively appreciated, as this has taken up far too much of my morning already!!!


0
Comment
Question by:Roachy1979
  • 7
  • 4
  • 3
14 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 22623741
Does Apache have read access to /home/ruralcon/.htpasswd?
0
 
LVL 14

Author Comment

by:Roachy1979
ID: 22623907
An ls -la shows permissions as...

-rw-rw-r--    1 ruralcon ruralcon    23 Oct  2 05:47 .htpasswd

0
 
LVL 14

Author Comment

by:Roachy1979
ID: 22623934
...and if I pwd from the root of the folder .htpasswd is in, it verifies:

/home/ruralcon
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
LVL 57

Expert Comment

by:giltjr
ID: 22624225
You may want to  check Apache's logs to see if it shows anything.
0
 
LVL 14

Author Comment

by:Roachy1979
ID: 22625345
As it's a hosted server I don't have full access to the apache logs....just to the access logs....

I get this from the access logs....the HTTP GET request of the valid page, followed by the returned 404 error page:

[02/Oct/2008:05:47:39 -0500] "GET /admin HTTP/1.0" 302 - "-" "Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.0.3) Gecko/2008092510 Ubuntu/8.04 (hardy) Firefox/3.0.3"
[02/Oct/2008:05:47:40 -0500] "GET /error404/ HTTP/1.0" 200 2255 "-" "Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.0.3) Gecko/2008092510 Ubuntu/8.04 (hardy) Firefox/3.0.3"

Just to verify....to create the .htpasswd file i

1) SSH'd onto the server
2) htpasswd -c .htpasswd ruralcon
3) entered the pasword
4) navigated to the public_html/admin directory and created the .htaccess file above






0
 
LVL 57

Expert Comment

by:giltjr
ID: 22625505
Ah, a hosted service.

That could be a problem.  You may need to see if they document how to do this on their system.  I have run into problems attempting to do this on hosted servers.  Normally the issue is that Apache is setup in a way that it can't get to the directory you are putting the .htpasswd file in.

Instead of putting in /home/ruralcon  can you try putting it someplace else, like public_html.

I know that when I did this on a hosted system once, they had a special directory for me to put the .htpasswd file in and that was the only place they supported putting it.  So you may need to contact the hosting company and see if they have the same requirements.
0
 
LVL 27

Assisted Solution

by:caterham_www
caterham_www earned 1200 total points
ID: 22625877
> "GET /admin HTTP/1.0" 302 - "

That is a 302 redirect, not a native 404. Are there other .htaccess files esp. those containing directives like 'ErrorDocument' on higher levels?

May be a
ErrorDocument 401 http://.... is causing a 302 redirect.
0
 
LVL 14

Author Comment

by:Roachy1979
ID: 22631954
Thanks for that....

@giltjr - that would make sense, as there is a .htpasswds folder that I didn't spot before at the root of public_html.  I've tried moving the .htpasswd file into here and altering the path in .htaccess and still the same error.

@caterham_www - not sure what I'm looking for in the other .htaccess files.  Could anything in the following cause the error?  

home/ruralcon

DirectoryIndex index.php
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ /home/ruralcon/public_html/index.php/$1 [L,QSA]

This worked on the old server but not with the new host... (site5.com)

Would files at a lower level also have an impact?  We also have a subdomain, crm, which runs vtigercrm which has a number of .htaccess files at different levels... the unix to these is home/ruralcon/public_html/crm/vtigercrm?  I assumed that these could not have an impact...

I've spoken to site5 support and from what they say, everything should be fine the way I've done it.....checked the site5 forums and checked against the most referred to article on how to do this on site5 (http://tips-scripts.com/protect)....



0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 400 total points
ID: 22633135
You need to check with the service provider to see if they require it to be in a specific place the would require a .htpasswd file.

Where do you have the Rewrite Rules?  If they are in your .htaccess file, try removing the password stuff from .htaccess and just leave the rewrite rules in place and see what happens.
0
 
LVL 27

Expert Comment

by:caterham_www
ID: 22633229
No, that should not cause a 302 redirect, but apache/mod_rewrite needs an URL-path (/index.php/$1) in directory context  in order to proceed with an internal redirect. Your substitution specifies a full physical path (/home/ruralcon/public_html/index.php/$1); but anyway apache should be able to strip /home/ruralcon/public_html prior proceeding.

> Would files at a lower level also have an impact?

Only if the request reaches those folders.

Anyway, what you can do is to check the HTTP headers, e.g. with http://web-sniffer.net
Watch out for the HTTP response hader and esp. if there's a hader like "powered by php"' or so.

You may also try to put ErrorDocument 401 default into the same .htaccess:

DirectoryIndex index.php
AuthType Basic
AuthName "Administration Page - Please Log In"
AuthUserFile /home/ruralcon/.htpasswd
require valid-user
ErrorDocument 401 default


> <limit GET PUT POST>

Should HEAD requests being served w/o authentication?
0
 
LVL 14

Author Comment

by:Roachy1979
ID: 22634680
>Anyway, what you can do is to check the HTTP headers, e.g. with http://web-sniffer.net

This is the response to the HTTP request:

Name                                 Value      
HTTP Status Code:              HTTP/1.1 302 Found
Date:                                  Fri, 03 Oct 2008 14:43:10 GMT      
Server:                                  Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7a FrontPage/5.0.2.2635      
X-Powered-By:                          PHP/4.4.8      
Expires:                                  Thu, 19 Nov 1981 08:52:00 GMT      
Cache-Control:                   n o-store, no-cache, must-revalidate, post-check=0, pre-check=0      
Pragma:                                  no-cache      
Set-Cookie:                          PHPSESSID=c190bfa62c27330aeb13f2cb084fd572; path=/      
Location:                                  http://www.mydomain.co.uk/error404/      
Content-Length:                  0      
Connection:                         close      
Content-Type:                     text/html      


>You may also try to put ErrorDocument 401 default into the same .htaccess:

Done - no change

>Should HEAD requests being served w/o authentication?

It doesn't really matter - as this is only a secure folder for a content management system....if anyone wants to look at a HEAD request they can do this on the unprotected www root....

>You need to check with the service provider to see if they require it to be in a specific place the would require a .htpasswd file.

Just waiting for a response from site5 now!

>Where do you have the Rewrite Rules?  If they are in your .htaccess file, try removing the password stuff from .htaccess and just leave the rewrite rules in place and see what happens.

The rewrite rules are in the unprotected www root.... would those have an impact on this?  They didn't on the old server...



0
 
LVL 27

Assisted Solution

by:caterham_www
caterham_www earned 1200 total points
ID: 22635198
> X-Powered-By:                          PHP/4.4.8

Your request is being handled by a php script, which redirects to /error404/.
Usually
/.htaccess rewrite
/folder/.htaccess auth

should not have an impact, because the auth fixup hook is being processed before mod_rewrite's fixup hook. That means it is impossible to rewrite /folder/foo to /unprotected/foo in directory context with mod_rewrite without authentication, no matter if the directives mod_rewrite provides are stored in /.htaccess or /folder/.htaccess.

The modules mod_auth_basic itself returns status codes HTTP 401 or HTTP 500 only, which as I said can result into a 302 with a custom ErrorDocument directive/setting. The request you made for testing purposes was a request for/to an existent file, right?

You may try to set the ErrorDocuments for 404, 403 and 500 to default, too, in order to rule out some sort of config error

ErrorDocument 403 default
ErrorDocument 404 default
ErrorDocument 500 default

and request the resource via websniffer to see if there is still a 302 redirect. A missing or non-readable password file would result in an internal server error (HTTP 500) unless s/o modified the default source code prior compiling.

0
 
LVL 14

Author Comment

by:Roachy1979
ID: 22635338
Thanks for the quick reply!

Just to clarify, I now have:

DirectoryIndex index.php
AuthType Basic
AuthName "Administration Page - Please Log In"
AuthUserFile /home/ruralcon/.htpasswds/public_html/.htpasswd
require valid-user
ErrorDocument 401 default
ErrorDocument 403 default
ErrorDocument 404 default
ErrorDocument 500 default

>The request you made for testing purposes was a request for/to an existent file, right?

Yup... just to be sure that it was picking up the correct file I put in the www.mydomain.com/admin/index.php this time

Still get the 302 error.....

HTTP Status Code: HTTP/1.1 302 Found

Thanks for all your help so far!
0
 
LVL 14

Accepted Solution

by:
Roachy1979 earned 0 total points
ID: 22864935
Well.......it's definitely a problem with the parent level .htaccess - rename that and authenitication at lower levels works. Going to raise it with the sites designer to see what they suggest!

Thanks for all your help.....I've issued some points, but not all due to a lack of resolution...
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article was originally published on Monitis Blog, you can check it here . Today it’s fairly well known that high-performing websites and applications bring in more visitors, higher SEO, and ultimately more sales. By the same token, downtime…
Without even knowing it, most of us are using web applications on a daily basis.  In fact, Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We generally confuse these web applications to…
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to choose which pages of your form are visible to your users based on their inputs. The page rules feature provides you with an opportunity to create if:then statements for y…
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.
Suggested Courses

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question