Security using .htaccess & .htpasswd files w/ Apache?

  • stanman1
  • Born
  • Born
  • stanman1
  • Posts: 3
  • Loc: Boise, ID

Post 3+ Months Ago

I have Googled the snot out of how to recursively secure web site directories in Apache, and understand the process involved. I've tried to implement it on one of my VirtualHost sites, but I must be missing something because it isn't working.

The site I'm having the problem on is and the directory that should be secured is AP_Java. So the desired end result of this effort is that the URL would automatically prompt visitors to log in before allowing access. All I have in there now is a text file for testing purposes, and I have Directory Indexing disabled to help secure the server. For these reasons, to see what I'm talking about you'd need to access the text file directly via the URL The login prompt doesn't even show at all.

Here's a rundown on my server specs:
* LAMP support (L = RHEL ES 4, A = 2.0.52, M = 4.1.20, P = 4.3.9)
* Site publishing for individuals done via WebDAV

Here's what I've done to this point:

1. Created an .htpasswd file in a folder in the server's Apache root directory. (All 29 web sites are hosted on this same server through VirtualHosts in the Apache config. Because web server configs for each subdomain are handled through Apache includes, I can customize & tune specific options for each subdomain as needed based on individual hosting requirements.)

2. Created an .htaccess file in the AP_Java folder with the following contents (Some specific configs have been excluded for obvious, security reasons):

AuthUserFile /path-from-server-root/.htpasswd
AuthGroupFile /dev/null
AuthName "This directory is protected"
AuthType Basic
require user username

3. Gracefully restarted Apache for good measure

Any theories on why this isn't working correctly? TIA for any help you can give!

  • AnarchY SI
  • Web Master
  • Web Master
  • User avatar
  • Posts: 2509
  • Loc: /usr/src/MI

Post 3+ Months Ago

remove this: require user username
replace it with this: require valid-user

work yet?

in my opinion, if you have access, i feel its more secure to not user a .htaccess file at all and to add the restrictions directly in the httpd.conf
the modifications would go in the file after the <Directory></Directory> section. mine goes as follows:
Code: [ Select ]
  Order allow,deny
  Allow from all


<Directory "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/uploads">
    AuthName "Restricted Area"
    AuthType Basic
    AuthUserFile "C:\\Program Files\\Apache Software Foundation\\Apache2.2\\htfiles\\.htpasswd"
    require valid-user
  1. ...
  2.   Order allow,deny
  3.   Allow from all
  4. </Directory>
  5. <Directory "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/uploads">
  6.     AuthName "Restricted Area"
  7.     AuthType Basic
  8.     AuthUserFile "C:\\Program Files\\Apache Software Foundation\\Apache2.2\\htfiles\\.htpasswd"
  9.     require valid-user
  10. </Directory>

(i have no worries posting this here as i have no web server currently up and running on my pc bc our internet was shutoff so i'm "borrowing" the office's wireless >.< )
of course the path would be different as you're on a nix server and i was running it in winblows but same formatting applies.

Post Information

  • Total Posts in this topic: 2 posts
  • Users browsing this forum: No registered users and 10 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum

© 1998-2017. Ozzu® is a registered trademark of Unmelted, LLC.