Solved

.htaccess results in 404 error....

Posted on 2008-10-02
14
436 Views
Last Modified: 2011-10-03
Probably glaringly obvious but I just can't seem to see it and it's been driving me nuts!

Trying to password protect a webserver directory with .htaccess/.htpasswd combination following a move to a new server.  As soon as the .htaccess file is present I get a 404 error.  Remove or rename the .htaccess and I can view the site.....

I have created the .htaccess and generated the .htpasswd file.

The .htaccess looks like this:

DirectoryIndex index.php
AuthType Basic
AuthName "Administration Page - Please Log In"
AuthUserFile /home/ruralcon/.htpasswd
<limit GET PUT POST>
require valid-user
</limit>

The working directory of the .htpasswd is /home/ruralcon

What am I doing wrong??  Any help would be massively appreciated, as this has taken up far too much of my morning already!!!


0
Comment
Question by:Roachy1979
  • 7
  • 4
  • 3
14 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 22623741
Does Apache have read access to /home/ruralcon/.htpasswd?
0
 
LVL 14

Author Comment

by:Roachy1979
ID: 22623907
An ls -la shows permissions as...

-rw-rw-r--    1 ruralcon ruralcon    23 Oct  2 05:47 .htpasswd

0
 
LVL 14

Author Comment

by:Roachy1979
ID: 22623934
...and if I pwd from the root of the folder .htpasswd is in, it verifies:

/home/ruralcon
0
 
LVL 57

Expert Comment

by:giltjr
ID: 22624225
You may want to  check Apache's logs to see if it shows anything.
0
 
LVL 14

Author Comment

by:Roachy1979
ID: 22625345
As it's a hosted server I don't have full access to the apache logs....just to the access logs....

I get this from the access logs....the HTTP GET request of the valid page, followed by the returned 404 error page:

[02/Oct/2008:05:47:39 -0500] "GET /admin HTTP/1.0" 302 - "-" "Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.0.3) Gecko/2008092510 Ubuntu/8.04 (hardy) Firefox/3.0.3"
[02/Oct/2008:05:47:40 -0500] "GET /error404/ HTTP/1.0" 200 2255 "-" "Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.0.3) Gecko/2008092510 Ubuntu/8.04 (hardy) Firefox/3.0.3"

Just to verify....to create the .htpasswd file i

1) SSH'd onto the server
2) htpasswd -c .htpasswd ruralcon
3) entered the pasword
4) navigated to the public_html/admin directory and created the .htaccess file above






0
 
LVL 57

Expert Comment

by:giltjr
ID: 22625505
Ah, a hosted service.

That could be a problem.  You may need to see if they document how to do this on their system.  I have run into problems attempting to do this on hosted servers.  Normally the issue is that Apache is setup in a way that it can't get to the directory you are putting the .htpasswd file in.

Instead of putting in /home/ruralcon  can you try putting it someplace else, like public_html.

I know that when I did this on a hosted system once, they had a special directory for me to put the .htpasswd file in and that was the only place they supported putting it.  So you may need to contact the hosting company and see if they have the same requirements.
0
 
LVL 27

Assisted Solution

by:caterham_www
caterham_www earned 300 total points
ID: 22625877
> "GET /admin HTTP/1.0" 302 - "

That is a 302 redirect, not a native 404. Are there other .htaccess files esp. those containing directives like 'ErrorDocument' on higher levels?

May be a
ErrorDocument 401 http://.... is causing a 302 redirect.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 14

Author Comment

by:Roachy1979
ID: 22631954
Thanks for that....

@giltjr - that would make sense, as there is a .htpasswds folder that I didn't spot before at the root of public_html.  I've tried moving the .htpasswd file into here and altering the path in .htaccess and still the same error.

@caterham_www - not sure what I'm looking for in the other .htaccess files.  Could anything in the following cause the error?  

home/ruralcon

DirectoryIndex index.php
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ /home/ruralcon/public_html/index.php/$1 [L,QSA]

This worked on the old server but not with the new host... (site5.com)

Would files at a lower level also have an impact?  We also have a subdomain, crm, which runs vtigercrm which has a number of .htaccess files at different levels... the unix to these is home/ruralcon/public_html/crm/vtigercrm?  I assumed that these could not have an impact...

I've spoken to site5 support and from what they say, everything should be fine the way I've done it.....checked the site5 forums and checked against the most referred to article on how to do this on site5 (http://tips-scripts.com/protect)....



0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 100 total points
ID: 22633135
You need to check with the service provider to see if they require it to be in a specific place the would require a .htpasswd file.

Where do you have the Rewrite Rules?  If they are in your .htaccess file, try removing the password stuff from .htaccess and just leave the rewrite rules in place and see what happens.
0
 
LVL 27

Expert Comment

by:caterham_www
ID: 22633229
No, that should not cause a 302 redirect, but apache/mod_rewrite needs an URL-path (/index.php/$1) in directory context  in order to proceed with an internal redirect. Your substitution specifies a full physical path (/home/ruralcon/public_html/index.php/$1); but anyway apache should be able to strip /home/ruralcon/public_html prior proceeding.

> Would files at a lower level also have an impact?

Only if the request reaches those folders.

Anyway, what you can do is to check the HTTP headers, e.g. with http://web-sniffer.net
Watch out for the HTTP response hader and esp. if there's a hader like "powered by php"' or so.

You may also try to put ErrorDocument 401 default into the same .htaccess:

DirectoryIndex index.php
AuthType Basic
AuthName "Administration Page - Please Log In"
AuthUserFile /home/ruralcon/.htpasswd
require valid-user
ErrorDocument 401 default


> <limit GET PUT POST>

Should HEAD requests being served w/o authentication?
0
 
LVL 14

Author Comment

by:Roachy1979
ID: 22634680
>Anyway, what you can do is to check the HTTP headers, e.g. with http://web-sniffer.net

This is the response to the HTTP request:

Name                                 Value      
HTTP Status Code:              HTTP/1.1 302 Found
Date:                                  Fri, 03 Oct 2008 14:43:10 GMT      
Server:                                  Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7a FrontPage/5.0.2.2635      
X-Powered-By:                          PHP/4.4.8      
Expires:                                  Thu, 19 Nov 1981 08:52:00 GMT      
Cache-Control:                   n o-store, no-cache, must-revalidate, post-check=0, pre-check=0      
Pragma:                                  no-cache      
Set-Cookie:                          PHPSESSID=c190bfa62c27330aeb13f2cb084fd572; path=/      
Location:                                  http://www.mydomain.co.uk/error404/      
Content-Length:                  0      
Connection:                         close      
Content-Type:                     text/html      


>You may also try to put ErrorDocument 401 default into the same .htaccess:

Done - no change

>Should HEAD requests being served w/o authentication?

It doesn't really matter - as this is only a secure folder for a content management system....if anyone wants to look at a HEAD request they can do this on the unprotected www root....

>You need to check with the service provider to see if they require it to be in a specific place the would require a .htpasswd file.

Just waiting for a response from site5 now!

>Where do you have the Rewrite Rules?  If they are in your .htaccess file, try removing the password stuff from .htaccess and just leave the rewrite rules in place and see what happens.

The rewrite rules are in the unprotected www root.... would those have an impact on this?  They didn't on the old server...



0
 
LVL 27

Assisted Solution

by:caterham_www
caterham_www earned 300 total points
ID: 22635198
> X-Powered-By:                          PHP/4.4.8

Your request is being handled by a php script, which redirects to /error404/.
Usually
/.htaccess rewrite
/folder/.htaccess auth

should not have an impact, because the auth fixup hook is being processed before mod_rewrite's fixup hook. That means it is impossible to rewrite /folder/foo to /unprotected/foo in directory context with mod_rewrite without authentication, no matter if the directives mod_rewrite provides are stored in /.htaccess or /folder/.htaccess.

The modules mod_auth_basic itself returns status codes HTTP 401 or HTTP 500 only, which as I said can result into a 302 with a custom ErrorDocument directive/setting. The request you made for testing purposes was a request for/to an existent file, right?

You may try to set the ErrorDocuments for 404, 403 and 500 to default, too, in order to rule out some sort of config error

ErrorDocument 403 default
ErrorDocument 404 default
ErrorDocument 500 default

and request the resource via websniffer to see if there is still a 302 redirect. A missing or non-readable password file would result in an internal server error (HTTP 500) unless s/o modified the default source code prior compiling.

0
 
LVL 14

Author Comment

by:Roachy1979
ID: 22635338
Thanks for the quick reply!

Just to clarify, I now have:

DirectoryIndex index.php
AuthType Basic
AuthName "Administration Page - Please Log In"
AuthUserFile /home/ruralcon/.htpasswds/public_html/.htpasswd
require valid-user
ErrorDocument 401 default
ErrorDocument 403 default
ErrorDocument 404 default
ErrorDocument 500 default

>The request you made for testing purposes was a request for/to an existent file, right?

Yup... just to be sure that it was picking up the correct file I put in the www.mydomain.com/admin/index.php this time

Still get the 302 error.....

HTTP Status Code: HTTP/1.1 302 Found

Thanks for all your help so far!
0
 
LVL 14

Accepted Solution

by:
Roachy1979 earned 0 total points
ID: 22864935
Well.......it's definitely a problem with the parent level .htaccess - rename that and authenitication at lower levels works. Going to raise it with the sites designer to see what they suggest!

Thanks for all your help.....I've issued some points, but not all due to a lack of resolution...
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Although it can be difficult to imagine, someday your child will have a career of his or her own. He or she will likely start a family, buy a home and start having their own children. So, while being a kid is still extremely important, it’s also …
Boost your ability to deliver ambitious and competitive web apps by choosing the right JavaScript framework to best suit your project’s needs.
The viewer will learn how to dynamically set the form action using jQuery.
Learn how to set-up PayPal payment integration in your Wufoo form. Allow your users to remit payment through PayPal upon completion of your online form. This is helpful for collecting membership payments, customer payments, donations, and more.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now