htaccess/apache setup problems

Installing, Configuring, Troubleshooting server daemons such as Web and Mail
Post Reply
legojenn
Posts: 2
Joined: 2007/05/02 16:33:46
Contact:

htaccess/apache setup problems

Post by legojenn » 2007/05/02 16:42:52

Hello:

I am writing with a little problem that I am having getting .htaccess to work on my CentOS 5.0 server. I am new to CentOS having recently converting from Slackware after a hardware failure. So far I like CentOS and have had few conversion pains. I have had no difficulty setting up .htaccess on my old server configurations so I figure that I am making a simple error. I would appreciate any assistance solving this problem.

Jenn


This is the 401 error that I am getting from the browser

Authorization Required
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.


--------------------------------------------------------------------------------

Apache/2.2.3 (CentOS) Server at www.jenn.ca Port 80

---

This is how I have modified the httpd.conf file
-----------------------------------------------

# First, we configure the "default" to be a very restrictive set of
# features.
#
#
# Options FollowSymLinks
# AllowOverride None
#



AllowOverride AuthConfig



---

This is the error log
---------------------

[Wed May 02 12:18:23 2007] [notice] caught SIGTERM, shutting down
[Wed May 02 12:18:34 2007] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed May 02 12:18:34 2007] [notice] Digest: generating secret for digest authentication ...
[Wed May 02 12:18:34 2007] [notice] Digest: done
[Wed May 02 12:18:35 2007] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads.
[Wed May 02 12:18:35 2007] [notice] Apache/2.2.3 (CentOS) configured -- resuming normal operations

---

This is the directory that I am trying to protect
-------------------------------------------------

[root@server jsd]# cd /var/www/html/projects/workforms/
[root@server workforms]# pwd
/var/www/html/projects/workforms
[root@server workforms]# ls -la
total 64
drwxr-xr-x 2 jsd users 4096 May 1 19:10 .
drwxr-xr-x 9 jsd users 4096 Mar 26 12:01 ..
-rw-r--r-- 1 jsd users 14430 Mar 27 12:16 client.inc
-rw-r--r-- 1 root root 136 May 1 19:16 .htaccess
-rw-r--r-- 1 root root 37 May 1 19:11 .htpasswd
-rw-rw-r-- 1 jsd users 1065 Mar 16 09:50 lawyer.inc
-rw-r--r-- 1 jsd users 10123 May 1 11:25 newfile.html
-rw-r--r-- 1 jsd users 12731 May 1 11:24 opinion.html
[root@server workforms]# cat .htaccess

AuthUserFile /var/www/html/projects/workforms/.htaccess
AuthGroupFile /dev/null
AuthName "Work forms"
AuthType Basic
require valid-user

[root@server workforms]# cat .htpasswd

jsd:wIYT4md6FPWG.
cals:McsOw0qDpo.uU

[root@server workforms]#

---

These are my instructions
-------------------------

They have served me well in the past.


Password-Protect Your Website
written by Leo Laporte on Wednesday, October 30, 2002
Learn how to add secure access to your website.


For the past year my 10-year-old daughter has been pestering me to create a password-protected website for her. She wants to put things online that only her friends can see. It's something I'd like to do, too. I use my website to back up files and private stuff I don't want anyone else to download. Having a password-protected directory would add to my peace of mind.

There are all kinds of ways to add a password to a webpage. The solutions range from the easy-to-implement (and easy-to-crack) to the more complicated but more secure. Here are three ways to do it, starting with the most secure.

.htaccess

If your website is running on an Apache Web server (most websites are), you can use Apache's built-in file access commands to protect any directory. The Apache config file, httpd.conf, contains information about each directory on your site. You can modify this file, but you must restart Apache each time you change the configuration. Fortunately, Apache can be configured to check each directory for access control settings. Changes to these settings are applied each time Apache accesses the directory.

You may need to modify your httpd.conf file once to enable this directory-level control. Ask your system administrator to enable .htaccess files or, if you have access to the configuration file yourself, add the following line to the directories where your .html files are stored:

AllowOverride AuthConfig

Because Apache will have to read in the access control file each time the directory is accessed, it's best to enable this for only the directory or directories you want to password-protect. In my case I added a block in my httpd.conf file that reads as follows:


AllowOverride AuthConfig


Then I restarted Apache. This tells the server to check the directory public_html and all its subdirectories for an access control file each time it reads the directory. The default name for the access control file is .htaccess. It's a plain text file I created in the subdirectory that I wanted to protect. The file reads like so:

AuthUserFile "/home/leoville/.htpasswd"
AuthGroupFile /dev/null
AuthName "Leo's Private Files"
AuthType Basic
require valid-user

Use "valid-user" to allow anyone in the .htpasswd file to log in. Or, for even more security, require an actual user name -- "require leo" for instance -- that'll keep everyone else out. You'll want to modify the AuthUserFile to point to your password file (I'll show you how to create that in a second) and change AuthName to an appropriate string for the password prompt.

Make sure to make the .htaccess file world readable by typing this:

chmod ugo+r .htaccess

Finally, you'll need to create the password file, .htpassword. It's best to put this in a directory above your HTML directory to keep it from prying eyes. You can use the htpasswd program to create the file by navigating to your safe directory and typing this:

htpasswd -c .htpasswd username

You'll be prompted for a password for the name. Add more names with this command:

htpasswd .htpasswd username

Delete users by editing the .htpasswd file with any text editor.

Now try to access the directory. You should be prompted for a login and password. If it doesn't work, check the error_log file. On my system, here's what I type:

tail /etc/httpd/logs/error_log

This lets you read the last 10 lines of the error log. You should be able to tell what's wrong from that. The location of your error log may vary, of course.

All this is well-documented in the Apache manual and in various online tutorials such as this one.

That's the tricky but most secure way to add a password to a website. Other Web servers have similar techniques. Read the documentation for details. For users of Microsoft's IIS server, read this Microsoft technical note for information on migrating .htaccess type control files to IIS.

legojenn
Posts: 2
Joined: 2007/05/02 16:33:46
Contact:

Re: htaccess/apache setup problems

Post by legojenn » 2007/05/02 16:48:22

If I could delete my post I would. I found the error:

[root@server workforms]# cat .htaccess

AuthUserFile /var/www/html/projects/workforms/.htaccess
AuthGroupFile /dev/null
AuthName "Work forms"
AuthType Basic
require valid-user


should be

[root@server workforms]# cat .htaccess

AuthUserFile /var/www/html/projects/workforms/.htpasswd
AuthGroupFile /dev/null
AuthName "Work forms"
AuthType Basic
require valid-user

Sorry for wasting your time.

Jenn

Post Reply