.htaccess password not working: Internal Server Error


I'm trying to use .htaccess password to protect my directory and it's sub directories.

I have this in my .htaccess file for the directory:
AuthName "Restricted Area" 
AuthType Basic 
AuthUserFile /home/htpass/.htpasswd 
AuthGroupFile /dev/null 
require valid-user

Open in new window

for my .htpasswd I have:

Open in new window

But when I go to the directory I get an "Internal Server Error".

When I delete the .htaccess file from the directory then it becomes a Forbidden error. So I'm assuming something is wrong with the .htaccess file.

How can I password protect my directory recursively using .htaccess?

Thank you and Father bless<><
Victor KimuraSEO, Web DeveloperAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Edwin HofferTechnical ExpertCommented:
Update your .htaccess code to this:

AuthType Basic
AuthName "restricted area"
AuthUserFile /home/htpass/.htpasswd
require valid-user

Open in new window

And generate htaccess password from here:


Also you can check these articles:



Please put back the .htaccess file  to original place  that is setup by your server administrator.
Put  the code as follows into the .htaccess file at original location, for example .at public_html
AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /path/to/.htpasswd
Require valid-user

Open in new window

And make sure the .htpasswd  file is exactly at file path  , run this php script to check
your full path as follows code.
$dir = dirname(__FILE__);
echo "<p>Full path to this dir: " . $dir . "</p>";
$filename= $dir . "/.htpasswd";
if (file_exists($filename)) {
    echo "The file $filename exists";
echo "<p>Full path to a .htpasswd file in this dir: " . $dir . "/.htpasswd" . "</p>";
} else {
    echo "The file $filename does not exist";

Open in new window

Hope understand your question completely.If not, pls pt it out
Seth SimmonsSr. Systems AdministratorCommented:
i tested that same code and it works fine for me; only changed the path to the password file
as a sanity check, does the account that apache runs as have access to the .htpasswd file or /home/htpass folder?
i took my file and changed ownership to something other than the account apache uses and it returned a 500; the error log showed permission denied, couldn't open password file

i would check the account used and the folder/file access for that account first
if that isn't an issue then the apache error log should show the reason for the server error
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

In your httpd.conf - make sure you:

AllowOverride AuthConfig

for the directory you're trying to activate Auth for.

[ The internal server error?  If you go to error.log, you might see a "not allowed here' somewhere in there for that access.  "AllowOverride  none" is a common configuration, as it offers heightened security.   If your override is not permitted, Apache will throw a server error when it picks up your attempt to request Auth via override if override is not enabled for the directory where you dropped the htaccess. ]

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Victor KimuraSEO, Web DeveloperAuthor Commented:
Hi duncanb7,

I don't wish to deny access at the public_html folder. Wouldn't that deny everyone from accessing the website with those commands?


Hi Seth Simmons,

Do you mean something like?
chown -R apache:apache /home/htpass/.htpasswd
Seth SimmonsSr. Systems AdministratorCommented:
yeah...if the apache account is used for the process and doesn't have rights to access that folder
there is no any user for  denying besides the directory you set auth right

.htaccess is always in root or hosting roots(public_html) directory as usual.

Just put the .htpasswd for the directory you want protect

Victor KimuraSEO, Web DeveloperAuthor Commented:
Hi duncanb7,

I don't think that's correct.

We're supposed to put the .htaccess (not the .htpasswd) in the directory that needs to be protected. You have it the other way around, friend.

AuthUserFile /home/htpass/.htpasswd

is the directive for where the .htpasswd should be placed which is outside the public folder. =)
You put both .htpasswd and .htaccess in the directories you wish to protect.  You can put it in root or in any folder, assuming you set it in the configuration to allow users to do so.  Each directory can be protected with separate .htaccess and .htpasswd settings.  You can specify the location of the .htpasswd in .htaccess, and it's easiest if they're in the same folders for better clarity, so you don't have to dig around each .htaccess file to find them.
Victor KimuraSEO, Web DeveloperAuthor Commented:
Hi Seth Simmons,

Ok, I got it to work for one moment and I saw the login Auth popup. I entered the info (maybe I typed something wrong) and then it's a Forbidden error. I changed the chown to:
chown -R nobody:nobody /home/htpass/.htpasswd

my httpd.conf is under nobody user. Is that ok?

Maybe I typed my pass or username wrong but I can't get access to the Authorization message/popup. How do I reset it?
Seth SimmonsSr. Systems AdministratorCommented:
the 403 forbidden could be something different
maybe that user doesn't have access to that folder or there is no default page and document index is off
If you've already entered a usernam/password, you'll have to clear it from the browser cache.  The easiest way is to restart your browser.
Victor KimuraSEO, Web DeveloperAuthor Commented:
Ok, strange. The window Auth message popped up in IE.

AuthType Basic
AuthName "restricted area"
AuthUserFile /home/myultrat/public_html/l4/.htpasswd
require valid-user

Open in new window

I placed the .htpasswd in the same directory as .htaccess to see if it was a permissions issue.

This is in my .htpasswd:

Open in new window

It's encrypted. I generated the file from here:

The pass is 'test' without quotes. Nothing secure about the site. I'm just using it to block all search engine bots from accessing and crawling it. Just a Laravel proj test on the pub directory. (just fyi).

In IE the Auth message popped up and then I entered my credentials and then I can see the spinning wheel trying to access the page. I placed an index.html in that page as well. What could be wrong?

here's the url:
If you're just blocking search engine bots, you just need to place a robots.txt file in your web site root folder with the following entries.  Legitimate search bots will honor it.
User-agent: *
Disallow: /

Open in new window

Also, that password hash seems a bit short.  It may be an outdated hash algorithm.  Try this

Open in new window

I generated that with the linux command line htpasswd command, but you can go to this page and it will generate a more modern hash.
Victor KimuraSEO, Web DeveloperAuthor Commented:
Kyanwan was correct about the AllowOverride AuthConfig setting. Thank you all!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.