Jump to content

Using .htaccess


static
 Share

Recommended Posts

Hi guys - I have a question for a buddy at work (as much as for myself). I helped him set up a web server at work using mandrake 10.1, and one subsection of the website we protected using .htaccess. Everything worked great until last week when we upgraded to mandriva 2006. We did the upgrade (not a fresh install) to keep all the users, etc. Everything else seems to be working fine.

 

We re-did the .htaccess file because it was a new install of apache, and I re-ran htpasswd, but it no longer asks for a username/password for the protected pages. I will come back to post the exact paths/configs, but for now, does anyone know why it is no longer working?

 

Thanks in advance! This is for very important protected information...

Link to comment
Share on other sites

So... there's no way to get .htaccess to work? It isn't usually all that hard, which is why I'm extremely confuzzled. When we set it up the first time it was just a matter of creating the file, running htpasswd, and voila!

 

I'll post the .htaccess file and server paths in a few, as soon as they're e-mailed to me... Thanks for anything you guys can think of - this was my shot to get the Feds on linux!

Link to comment
Share on other sites

OK - here's the goods!

 

The .htaccess file iteself, in /var/www/html/vpa/web_site/

 

AuthUserFile /var/www/html/vpa/web_site/access/.htpasswd
AuthGroupFile /dev/null
AuthName "Restricted Area"
AuthType Basic

 

and I tried running the following command from the web_site directory:

 

#htpasswd -c access/.htpasswd

 

 

 

 

Here's some of the config for apache - it seems to be fine... Can anyone see anything I'm doing wrong?

 

# Tons of (hopefully irrelevant) stuff above the following...
#
# UseCanonicalName: Determines how Apache constructs self-referencing 
# URLs and the SERVER_NAME and SERVER_PORT variables.
# When set "Off", Apache will use the Hostname and Port supplied
# by the client.  When set "On", Apache will use the value of the
# ServerName directive.
#
UseCanonicalName Off

#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/var/www/html"

#
# Each directory to which Apache has access can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories). 
#
# First, we configure the "default" to be a very restrictive set of 
# features.  
#

<Directory />
Options -All -Multiviews
AllowOverride None
<IfModule mod_access.c>
Order deny,allow
Deny from all
</IfModule>
</Directory>

#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#

#
# This should be changed to whatever you set DocumentRoot to.
#
<Directory "/var/www/html">

# Possible values for the Options directive are "None", "All",
# or any combination of:
#   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
# The Options directive is both complicated and important.  Please see
# http://httpd.apache.org/docs-2.0/mod/core.html#options
# for more information.

Options -Indexes FollowSymLinks MultiViews











#################################################################
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
#   Options FileInfo AuthConfig Limit

AllowOverride None

# Test from static to get .htaccess working (comment out the above line
#  to try this) NOTE: DIDN'T WORK!
#	AllowOverride All
#################################################################












# Controls who can get stuff from this server.
<IfModule mod_access.c>
Order allow,deny
Allow from all
</IfModule>

</Directory>

#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
# The index.html.var file (a type-map) is used to deliver content-
# negotiated documents.  The MultiViews Option can be used for the 
# same purpose, but it is much slower.
#

<IfModule mod_include.c>
<IfModule mod_dir.c>
DirectoryIndex index.shtml
</IfModule>
</IfModule>

<IfModule mod_dir.c>
DirectoryIndex index.html index.html.var index.cgi index.pl index.htm Default.htm default.htm index.xml
</IfModule>

#
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives.  See also the AllowOverride 
# directive.
#
AccessFileName .htaccess

#
# The following lines prevent .htaccess and .htpasswd files from being 
# viewed by Web clients. 
#
<IfModule mod_access.c>
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
</IfModule>

#
# TypesConfig describes where the mime.types file (or equivalent) is
# to be found.
#
<IfModule mod_mime.c>
TypesConfig conf/mime.types
</IfModule>

#
# DefaultType is the default MIME type the server will use for a document
# if it cannot otherwise determine one, such as from filename extensions.
# If your server contains mostly text or HTML documents, "text/plain" is
# a good value.  If most of your content is binary, such as applications
# or images, you may want to use "application/octet-stream" instead to
# keep browsers from trying to display binary files as though they are
# text.
#
DefaultType text/plain

#
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type.  The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#
<IfModule mod_mime_magic.c>
MIMEMagicFile conf/magic
</IfModule>

#   .......and tons more

 

Anyone? This is super important...

Edited by static
Link to comment
Share on other sites

Sorry to pester you guys, but they are considering switching to Windows Server 2003 soon if I can't help them... They need to protect the data displayed on these pages at all costs, even if it means using something else (and less secure overall). I can't think of any other way to get it to ask for a username/password that is effective and secure. No one has any ideas to get it working? I'm completely stumped considering how easy it usually is to get it working...

 

Thanks for any or all suggestions - I really want them to keep using Linux if I can help it.

Link to comment
Share on other sites

Guest OldHarry77

I recalled two things from the Apache documentation (httpd.apache.org/docs/2.0/...) when reading your messages.

 

1. AuthName and AuthType must be accompanied by a Require directive:

Require user userid [userid] ...

Require group group-name [group-name] ...

or

Require valid-user

 

AuthName, AuthType, AuthGroupFile, and Require all need the AuthConfig configuration override to be active:

AllowOverride AuthConfig instead of AllowOverride AuthConfig None in your main configuration file.

 

2. In the "Apache Tutorial: .htaccess files", under "When (not) to use .htaccess files", it says:

In general, you should never use .htaccess files unless you don't have access

to the main server configuration file... Any configuration that you would consider

putting in an .htaccess file, can just as effectively be made in a <Directory> section

in your main server configuration file.

 

You seem to have access to your main server configuration file. Have you tried putting the access controls there? You are supposed to be able to do anything in a <Directory> section that you can in an .htaccess file.

 

Sorry if I'm out to lunch.

Link to comment
Share on other sites

This is my file .htaccess, and it works. It does not ask for password if I view pages from local network or from the same server (you may remove that line: "aloow from 192.... ") . Note that the "Basic" type of authentication is kind of child-proof, not more than that. It is not recommended as a security measure by the apache site.

 

My .htpasswd contains the list of users and their hashed passwords.

<Files ~ "^\.ht">
	Order allow,deny
	Deny from all
</Files>

	IndexIgnore README .ht* *~
	Options Indexes SymLinksIfOwnerMatch
	AuthType Basic
	AuthName "Please identify yourself"
	AuthUserFile <path to>/.htpasswd
	Require valid-user
	Order allow,deny
   Allow from 192.168.2 127
	Satisfy any

Link to comment
Share on other sites

Thanks for your replies!

 

OldHarry77: If you're wondering why the line in the apache config is commented, it's just because when I tried it, nothing changed, so I commented it out again to leave the server as it was until I can figure out something else to try... I will look into the "require" as you said in #1 of your first post.

 

uralmasha: Wow! Yours looks complicated, but I am going to do some more reading concerning some of those options.

 

This is great! There may be light at the end of the tunnel...

Link to comment
Share on other sites

Guest OldHarry77
OldHarry77: If you're wondering why the line in the apache config is commented, it's just because when I tried it, nothing changed, so I commented it out again to leave the server as it was until I can figure out something else to try... I will look into the "require" as you said in #1 of your first post.

 

It was your command to create the .htpasswd file that concerned me. You wrote that you <quote>...tried running the following command from the web_site directory:

 

CODE

#htpasswd -c access/.htpasswd

 

<unquote>

 

My experience with apache is limited to a few exercises in a Linux course. We were told to avoid putting the password file in the web_site directory or one of it's subdirectories, and in fact we put it in the Server root set by the ServerRoot directive. If you do that and put your Auth... directives in your main configuration file rather than in .htaccess files, you won't need the code that tries to prevent users from messing with .ht* files in your web_site directories. Simpler is often sounder.

Link to comment
Share on other sites

Good point about the path - my coworker had put it there for some reason; I'm with you on that.

 

As far as the commenting out of that command, I included the console prompt # (as opposed to $) to show I was root, not a user.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...