.htaccess results in 404 error....

Probably glaringly obvious but I just can't seem to see it and it's been driving me nuts!

Trying to password protect a webserver directory with .htaccess/.htpasswd combination following a move to a new server.  As soon as the .htaccess file is present I get a 404 error.  Remove or rename the .htaccess and I can view the site.....

I have created the .htaccess and generated the .htpasswd file.

The .htaccess looks like this:

DirectoryIndex index.php
AuthType Basic
AuthName "Administration Page - Please Log In"
AuthUserFile /home/ruralcon/.htpasswd
<limit GET PUT POST>
require valid-user
</limit>

The working directory of the .htpasswd is /home/ruralcon

What am I doing wrong??  Any help would be massively appreciated, as this has taken up far too much of my morning already!!!


LVL 14
Roachy1979Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Roachy1979Connect With a Mentor Author Commented:
Well.......it's definitely a problem with the parent level .htaccess - rename that and authenitication at lower levels works. Going to raise it with the sites designer to see what they suggest!

Thanks for all your help.....I've issued some points, but not all due to a lack of resolution...
0
 
giltjrCommented:
Does Apache have read access to /home/ruralcon/.htpasswd?
0
 
Roachy1979Author Commented:
An ls -la shows permissions as...

-rw-rw-r--    1 ruralcon ruralcon    23 Oct  2 05:47 .htpasswd

0
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

 
Roachy1979Author Commented:
...and if I pwd from the root of the folder .htpasswd is in, it verifies:

/home/ruralcon
0
 
giltjrCommented:
You may want to  check Apache's logs to see if it shows anything.
0
 
Roachy1979Author Commented:
As it's a hosted server I don't have full access to the apache logs....just to the access logs....

I get this from the access logs....the HTTP GET request of the valid page, followed by the returned 404 error page:

[02/Oct/2008:05:47:39 -0500] "GET /admin HTTP/1.0" 302 - "-" "Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.0.3) Gecko/2008092510 Ubuntu/8.04 (hardy) Firefox/3.0.3"
[02/Oct/2008:05:47:40 -0500] "GET /error404/ HTTP/1.0" 200 2255 "-" "Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.0.3) Gecko/2008092510 Ubuntu/8.04 (hardy) Firefox/3.0.3"

Just to verify....to create the .htpasswd file i

1) SSH'd onto the server
2) htpasswd -c .htpasswd ruralcon
3) entered the pasword
4) navigated to the public_html/admin directory and created the .htaccess file above






0
 
giltjrCommented:
Ah, a hosted service.

That could be a problem.  You may need to see if they document how to do this on their system.  I have run into problems attempting to do this on hosted servers.  Normally the issue is that Apache is setup in a way that it can't get to the directory you are putting the .htpasswd file in.

Instead of putting in /home/ruralcon  can you try putting it someplace else, like public_html.

I know that when I did this on a hosted system once, they had a special directory for me to put the .htpasswd file in and that was the only place they supported putting it.  So you may need to contact the hosting company and see if they have the same requirements.
0
 
caterham_wwwConnect With a Mentor Commented:
> "GET /admin HTTP/1.0" 302 - "

That is a 302 redirect, not a native 404. Are there other .htaccess files esp. those containing directives like 'ErrorDocument' on higher levels?

May be a
ErrorDocument 401 http://.... is causing a 302 redirect.
0
 
Roachy1979Author Commented:
Thanks for that....

@giltjr - that would make sense, as there is a .htpasswds folder that I didn't spot before at the root of public_html.  I've tried moving the .htpasswd file into here and altering the path in .htaccess and still the same error.

@caterham_www - not sure what I'm looking for in the other .htaccess files.  Could anything in the following cause the error?  

home/ruralcon

DirectoryIndex index.php
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ /home/ruralcon/public_html/index.php/$1 [L,QSA]

This worked on the old server but not with the new host... (site5.com)

Would files at a lower level also have an impact?  We also have a subdomain, crm, which runs vtigercrm which has a number of .htaccess files at different levels... the unix to these is home/ruralcon/public_html/crm/vtigercrm?  I assumed that these could not have an impact...

I've spoken to site5 support and from what they say, everything should be fine the way I've done it.....checked the site5 forums and checked against the most referred to article on how to do this on site5 (http://tips-scripts.com/protect)....



0
 
giltjrConnect With a Mentor Commented:
You need to check with the service provider to see if they require it to be in a specific place the would require a .htpasswd file.

Where do you have the Rewrite Rules?  If they are in your .htaccess file, try removing the password stuff from .htaccess and just leave the rewrite rules in place and see what happens.
0
 
caterham_wwwCommented:
No, that should not cause a 302 redirect, but apache/mod_rewrite needs an URL-path (/index.php/$1) in directory context  in order to proceed with an internal redirect. Your substitution specifies a full physical path (/home/ruralcon/public_html/index.php/$1); but anyway apache should be able to strip /home/ruralcon/public_html prior proceeding.

> Would files at a lower level also have an impact?

Only if the request reaches those folders.

Anyway, what you can do is to check the HTTP headers, e.g. with http://web-sniffer.net
Watch out for the HTTP response hader and esp. if there's a hader like "powered by php"' or so.

You may also try to put ErrorDocument 401 default into the same .htaccess:

DirectoryIndex index.php
AuthType Basic
AuthName "Administration Page - Please Log In"
AuthUserFile /home/ruralcon/.htpasswd
require valid-user
ErrorDocument 401 default


> <limit GET PUT POST>

Should HEAD requests being served w/o authentication?
0
 
Roachy1979Author Commented:
>Anyway, what you can do is to check the HTTP headers, e.g. with http://web-sniffer.net

This is the response to the HTTP request:

Name                                 Value      
HTTP Status Code:              HTTP/1.1 302 Found
Date:                                  Fri, 03 Oct 2008 14:43:10 GMT      
Server:                                  Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7a FrontPage/5.0.2.2635      
X-Powered-By:                          PHP/4.4.8      
Expires:                                  Thu, 19 Nov 1981 08:52:00 GMT      
Cache-Control:                   n o-store, no-cache, must-revalidate, post-check=0, pre-check=0      
Pragma:                                  no-cache      
Set-Cookie:                          PHPSESSID=c190bfa62c27330aeb13f2cb084fd572; path=/      
Location:                                  http://www.mydomain.co.uk/error404/      
Content-Length:                  0      
Connection:                         close      
Content-Type:                     text/html      


>You may also try to put ErrorDocument 401 default into the same .htaccess:

Done - no change

>Should HEAD requests being served w/o authentication?

It doesn't really matter - as this is only a secure folder for a content management system....if anyone wants to look at a HEAD request they can do this on the unprotected www root....

>You need to check with the service provider to see if they require it to be in a specific place the would require a .htpasswd file.

Just waiting for a response from site5 now!

>Where do you have the Rewrite Rules?  If they are in your .htaccess file, try removing the password stuff from .htaccess and just leave the rewrite rules in place and see what happens.

The rewrite rules are in the unprotected www root.... would those have an impact on this?  They didn't on the old server...



0
 
caterham_wwwConnect With a Mentor Commented:
> X-Powered-By:                          PHP/4.4.8

Your request is being handled by a php script, which redirects to /error404/.
Usually
/.htaccess rewrite
/folder/.htaccess auth

should not have an impact, because the auth fixup hook is being processed before mod_rewrite's fixup hook. That means it is impossible to rewrite /folder/foo to /unprotected/foo in directory context with mod_rewrite without authentication, no matter if the directives mod_rewrite provides are stored in /.htaccess or /folder/.htaccess.

The modules mod_auth_basic itself returns status codes HTTP 401 or HTTP 500 only, which as I said can result into a 302 with a custom ErrorDocument directive/setting. The request you made for testing purposes was a request for/to an existent file, right?

You may try to set the ErrorDocuments for 404, 403 and 500 to default, too, in order to rule out some sort of config error

ErrorDocument 403 default
ErrorDocument 404 default
ErrorDocument 500 default

and request the resource via websniffer to see if there is still a 302 redirect. A missing or non-readable password file would result in an internal server error (HTTP 500) unless s/o modified the default source code prior compiling.

0
 
Roachy1979Author Commented:
Thanks for the quick reply!

Just to clarify, I now have:

DirectoryIndex index.php
AuthType Basic
AuthName "Administration Page - Please Log In"
AuthUserFile /home/ruralcon/.htpasswds/public_html/.htpasswd
require valid-user
ErrorDocument 401 default
ErrorDocument 403 default
ErrorDocument 404 default
ErrorDocument 500 default

>The request you made for testing purposes was a request for/to an existent file, right?

Yup... just to be sure that it was picking up the correct file I put in the www.mydomain.com/admin/index.php this time

Still get the 302 error.....

HTTP Status Code: HTTP/1.1 302 Found

Thanks for all your help so far!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.