.htaccess password not working: Internal Server Error

Hi,

I'm trying to use .htaccess password to protect my directory and it's sub directories.

I have this in my .htaccess file for the directory:
AuthName "Restricted Area" 
AuthType Basic 
AuthUserFile /home/htpass/.htpasswd 
AuthGroupFile /dev/null 
require valid-user

Open in new window


for my .htpasswd I have:
vkimura:qe723jsfyweFke

Open in new window


But when I go to the directory I get an "Internal Server Error".

When I delete the .htaccess file from the directory then it becomes a Forbidden error. So I'm assuming something is wrong with the .htaccess file.

How can I password protect my directory recursively using .htaccess?

Thank you and Father bless<><
Victor KimuraSEO, Web DeveloperAsked:
Who is Participating?
 
kyanwanConnect With a Mentor Commented:
In your httpd.conf - make sure you:

AllowOverride AuthConfig

for the directory you're trying to activate Auth for.

[ The internal server error?  If you go to error.log, you might see a "not allowed here' somewhere in there for that access.  "AllowOverride  none" is a common configuration, as it offers heightened security.   If your override is not permitted, Apache will throw a server error when it picks up your attempt to request Auth via override if override is not enabled for the directory where you dropped the htaccess. ]
0
 
Edwin HofferConnect With a Mentor Technical ExpertCommented:
Update your .htaccess code to this:

AuthType Basic
AuthName "restricted area"
AuthUserFile /home/htpass/.htpasswd
require valid-user

Open in new window


And generate htaccess password from here:

http://www.htaccesstools.com/htpasswd-generator/

Also you can check these articles:

http://davidwalsh.name/password-protect-directory-using-htaccess

http://css-tricks.com/easily-password-protect-a-website-or-subdirectory/

Thanks
Edwin
0
 
duncanb7Connect With a Mentor Commented:
Please put back the .htaccess file  to original place  that is setup by your server administrator.
Put  the code as follows into the .htaccess file at original location, for example .at public_html
AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /path/to/.htpasswd
Require valid-user

Open in new window

And make sure the .htpasswd  file is exactly at file path  , run this php script to check
your full path as follows code.
<?php
$dir = dirname(__FILE__);
echo "<p>Full path to this dir: " . $dir . "</p>";
$filename= $dir . "/.htpasswd";
if (file_exists($filename)) {
    echo "The file $filename exists";
echo "<p>Full path to a .htpasswd file in this dir: " . $dir . "/.htpasswd" . "</p>";
} else {
    echo "The file $filename does not exist";
}
?>

Open in new window

Hope understand your question completely.If not, pls pt it out
Duncan
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
Seth SimmonsSr. Systems AdministratorCommented:
i tested that same code and it works fine for me; only changed the path to the password file
as a sanity check, does the account that apache runs as have access to the .htpasswd file or /home/htpass folder?
i took my file and changed ownership to something other than the account apache uses and it returned a 500; the error log showed permission denied, couldn't open password file

i would check the account used and the folder/file access for that account first
if that isn't an issue then the apache error log should show the reason for the server error
0
 
Victor KimuraSEO, Web DeveloperAuthor Commented:
Hi duncanb7,

I don't wish to deny access at the public_html folder. Wouldn't that deny everyone from accessing the website with those commands?

---

Hi Seth Simmons,

Do you mean something like?
chown -R apache:apache /home/htpass/.htpasswd
0
 
Seth SimmonsSr. Systems AdministratorCommented:
yeah...if the apache account is used for the process and doesn't have rights to access that folder
0
 
duncanb7Commented:
there is no any user for  denying besides the directory you set auth right

.htaccess is always in root or hosting roots(public_html) directory as usual.

Just put the .htpasswd for the directory you want protect

Duncan
0
 
Victor KimuraSEO, Web DeveloperAuthor Commented:
Hi duncanb7,

I don't think that's correct.

We're supposed to put the .htaccess (not the .htpasswd) in the directory that needs to be protected. You have it the other way around, friend.

AuthUserFile /home/htpass/.htpasswd

is the directive for where the .htpasswd should be placed which is outside the public folder. =)
0
 
serialbandConnect With a Mentor Commented:
You put both .htpasswd and .htaccess in the directories you wish to protect.  You can put it in root or in any folder, assuming you set it in the configuration to allow users to do so.  Each directory can be protected with separate .htaccess and .htpasswd settings.  You can specify the location of the .htpasswd in .htaccess, and it's easiest if they're in the same folders for better clarity, so you don't have to dig around each .htaccess file to find them.
0
 
Victor KimuraSEO, Web DeveloperAuthor Commented:
Hi Seth Simmons,

Ok, I got it to work for one moment and I saw the login Auth popup. I entered the info (maybe I typed something wrong) and then it's a Forbidden error. I changed the chown to:
chown -R nobody:nobody /home/htpass/.htpasswd

my httpd.conf is under nobody user. Is that ok?

Maybe I typed my pass or username wrong but I can't get access to the Authorization message/popup. How do I reset it?
0
 
Seth SimmonsSr. Systems AdministratorCommented:
the 403 forbidden could be something different
maybe that user doesn't have access to that folder or there is no default page and document index is off
0
 
serialbandCommented:
If you've already entered a usernam/password, you'll have to clear it from the browser cache.  The easiest way is to restart your browser.
0
 
Victor KimuraSEO, Web DeveloperAuthor Commented:
Ok, strange. The window Auth message popped up in IE.

AuthType Basic
AuthName "restricted area"
AuthUserFile /home/myultrat/public_html/l4/.htpasswd
require valid-user

Open in new window


I placed the .htpasswd in the same directory as .htaccess to see if it was a permissions issue.

This is in my .htpasswd:
vkimura:NLLCydYbWcTVg

Open in new window


It's encrypted. I generated the file from here:
http://www.tools.dynamicdrive.com/password/

The pass is 'test' without quotes. Nothing secure about the site. I'm just using it to block all search engine bots from accessing and crawling it. Just a Laravel proj test on the pub directory. (just fyi).

In IE the Auth message popped up and then I entered my credentials and then I can see the spinning wheel trying to access the page. I placed an index.html in that page as well. What could be wrong?

here's the url:
/home/myultrat/public_html/l4
0
 
serialbandConnect With a Mentor Commented:
If you're just blocking search engine bots, you just need to place a robots.txt file in your web site root folder with the following entries.  Legitimate search bots will honor it.
User-agent: *
Disallow: /

Open in new window

Also, that password hash seems a bit short.  It may be an outdated hash algorithm.  Try this
vkimura:$apr1$IyzlLJLp$YpwvBPHzroszK4bx5ZQ.m0

Open in new window

I generated that with the linux command line htpasswd command, but you can go to this page and it will generate a more modern hash.
http://www.htaccesstools.com/htpasswd-generator-windows/
0
 
Victor KimuraSEO, Web DeveloperAuthor Commented:
Kyanwan was correct about the AllowOverride AuthConfig setting. Thank you all!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.