static Posted April 10, 2006 Report Share Posted April 10, 2006 Hi guys - I have a question for a buddy at work (as much as for myself). I helped him set up a web server at work using mandrake 10.1, and one subsection of the website we protected using .htaccess. Everything worked great until last week when we upgraded to mandriva 2006. We did the upgrade (not a fresh install) to keep all the users, etc. Everything else seems to be working fine. We re-did the .htaccess file because it was a new install of apache, and I re-ran htpasswd, but it no longer asks for a username/password for the protected pages. I will come back to post the exact paths/configs, but for now, does anyone know why it is no longer working? Thanks in advance! This is for very important protected information... Quote Link to comment Share on other sites More sharing options...
ddmcse Posted April 10, 2006 Report Share Posted April 10, 2006 (edited) upgrading is a bad path for established servers an upgrade re-wrtites your config files for servers My latest effort Edited April 10, 2006 by ddmcse Quote Link to comment Share on other sites More sharing options...
iphitus Posted April 11, 2006 Report Share Posted April 11, 2006 upgrading is a bad path for established servers an upgrade re-wrtites your config files for servers My latest effort Easily avoidable by cp'ing /etc to a backup somewhere. THen you can copy whatever httpd or configs that you'd like back. Quote Link to comment Share on other sites More sharing options...
ddmcse Posted April 11, 2006 Report Share Posted April 11, 2006 hindsight is always easy and priceless Quote Link to comment Share on other sites More sharing options...
static Posted April 11, 2006 Author Report Share Posted April 11, 2006 So... there's no way to get .htaccess to work? It isn't usually all that hard, which is why I'm extremely confuzzled. When we set it up the first time it was just a matter of creating the file, running htpasswd, and voila! I'll post the .htaccess file and server paths in a few, as soon as they're e-mailed to me... Thanks for anything you guys can think of - this was my shot to get the Feds on linux! Quote Link to comment Share on other sites More sharing options...
static Posted April 11, 2006 Author Report Share Posted April 11, 2006 (edited) OK - here's the goods! The .htaccess file iteself, in /var/www/html/vpa/web_site/ AuthUserFile /var/www/html/vpa/web_site/access/.htpasswd AuthGroupFile /dev/null AuthName "Restricted Area" AuthType Basic and I tried running the following command from the web_site directory: #htpasswd -c access/.htpasswd Here's some of the config for apache - it seems to be fine... Can anyone see anything I'm doing wrong? # Tons of (hopefully irrelevant) stuff above the following... # # UseCanonicalName: Determines how Apache constructs self-referencing # URLs and the SERVER_NAME and SERVER_PORT variables. # When set "Off", Apache will use the Hostname and Port supplied # by the client. When set "On", Apache will use the value of the # ServerName directive. # UseCanonicalName Off # # DocumentRoot: The directory out of which you will serve your # documents. By default, all requests are taken from this directory, but # symbolic links and aliases may be used to point to other locations. # DocumentRoot "/var/www/html" # # Each directory to which Apache has access can be configured with respect # to which services and features are allowed and/or disabled in that # directory (and its subdirectories). # # First, we configure the "default" to be a very restrictive set of # features. # <Directory /> Options -All -Multiviews AllowOverride None <IfModule mod_access.c> Order deny,allow Deny from all </IfModule> </Directory> # # Note that from this point forward you must specifically allow # particular features to be enabled - so if something's not working as # you might expect, make sure that you have specifically enabled it # below. # # # This should be changed to whatever you set DocumentRoot to. # <Directory "/var/www/html"> # Possible values for the Options directive are "None", "All", # or any combination of: # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews # Note that "MultiViews" must be named *explicitly* --- "Options All" # doesn't give it to you. # The Options directive is both complicated and important. Please see # http://httpd.apache.org/docs-2.0/mod/core.html#options # for more information. Options -Indexes FollowSymLinks MultiViews ################################################################# # AllowOverride controls what directives may be placed in .htaccess files. # It can be "All", "None", or any combination of the keywords: # Options FileInfo AuthConfig Limit AllowOverride None # Test from static to get .htaccess working (comment out the above line # to try this) NOTE: DIDN'T WORK! # AllowOverride All ################################################################# # Controls who can get stuff from this server. <IfModule mod_access.c> Order allow,deny Allow from all </IfModule> </Directory> # # DirectoryIndex: sets the file that Apache will serve if a directory # is requested. # # The index.html.var file (a type-map) is used to deliver content- # negotiated documents. The MultiViews Option can be used for the # same purpose, but it is much slower. # <IfModule mod_include.c> <IfModule mod_dir.c> DirectoryIndex index.shtml </IfModule> </IfModule> <IfModule mod_dir.c> DirectoryIndex index.html index.html.var index.cgi index.pl index.htm Default.htm default.htm index.xml </IfModule> # # AccessFileName: The name of the file to look for in each directory # for additional configuration directives. See also the AllowOverride # directive. # AccessFileName .htaccess # # The following lines prevent .htaccess and .htpasswd files from being # viewed by Web clients. # <IfModule mod_access.c> <Files ~ "^\.ht"> Order allow,deny Deny from all </Files> </IfModule> # # TypesConfig describes where the mime.types file (or equivalent) is # to be found. # <IfModule mod_mime.c> TypesConfig conf/mime.types </IfModule> # # DefaultType is the default MIME type the server will use for a document # if it cannot otherwise determine one, such as from filename extensions. # If your server contains mostly text or HTML documents, "text/plain" is # a good value. If most of your content is binary, such as applications # or images, you may want to use "application/octet-stream" instead to # keep browsers from trying to display binary files as though they are # text. # DefaultType text/plain # # The mod_mime_magic module allows the server to use various hints from the # contents of the file itself to determine its type. The MIMEMagicFile # directive tells the module where the hint definitions are located. # <IfModule mod_mime_magic.c> MIMEMagicFile conf/magic </IfModule> # .......and tons more Anyone? This is super important... Edited April 12, 2006 by static Quote Link to comment Share on other sites More sharing options...
static Posted April 18, 2006 Author Report Share Posted April 18, 2006 Sorry to pester you guys, but they are considering switching to Windows Server 2003 soon if I can't help them... They need to protect the data displayed on these pages at all costs, even if it means using something else (and less secure overall). I can't think of any other way to get it to ask for a username/password that is effective and secure. No one has any ideas to get it working? I'm completely stumped considering how easy it usually is to get it working... Thanks for any or all suggestions - I really want them to keep using Linux if I can help it. Quote Link to comment Share on other sites More sharing options...
Guest OldHarry77 Posted April 18, 2006 Report Share Posted April 18, 2006 I recalled two things from the Apache documentation (httpd.apache.org/docs/2.0/...) when reading your messages. 1. AuthName and AuthType must be accompanied by a Require directive: Require user userid [userid] ... Require group group-name [group-name] ... or Require valid-user AuthName, AuthType, AuthGroupFile, and Require all need the AuthConfig configuration override to be active: AllowOverride AuthConfig instead of AllowOverride AuthConfig None in your main configuration file. 2. In the "Apache Tutorial: .htaccess files", under "When (not) to use .htaccess files", it says: In general, you should never use .htaccess files unless you don't have access to the main server configuration file... Any configuration that you would consider putting in an .htaccess file, can just as effectively be made in a <Directory> section in your main server configuration file. You seem to have access to your main server configuration file. Have you tried putting the access controls there? You are supposed to be able to do anything in a <Directory> section that you can in an .htaccess file. Sorry if I'm out to lunch. Quote Link to comment Share on other sites More sharing options...
uralmasha Posted April 19, 2006 Report Share Posted April 19, 2006 This is my file .htaccess, and it works. It does not ask for password if I view pages from local network or from the same server (you may remove that line: "aloow from 192.... ") . Note that the "Basic" type of authentication is kind of child-proof, not more than that. It is not recommended as a security measure by the apache site. My .htpasswd contains the list of users and their hashed passwords. <Files ~ "^\.ht"> Order allow,deny Deny from all </Files> IndexIgnore README .ht* *~ Options Indexes SymLinksIfOwnerMatch AuthType Basic AuthName "Please identify yourself" AuthUserFile <path to>/.htpasswd Require valid-user Order allow,deny Allow from 192.168.2 127 Satisfy any Quote Link to comment Share on other sites More sharing options...
Guest OldHarry77 Posted April 20, 2006 Report Share Posted April 20, 2006 Why does your htpasswd command have a # in front of it? Wouldn't that comment it out? Quote Link to comment Share on other sites More sharing options...
static Posted April 21, 2006 Author Report Share Posted April 21, 2006 Thanks for your replies! OldHarry77: If you're wondering why the line in the apache config is commented, it's just because when I tried it, nothing changed, so I commented it out again to leave the server as it was until I can figure out something else to try... I will look into the "require" as you said in #1 of your first post. uralmasha: Wow! Yours looks complicated, but I am going to do some more reading concerning some of those options. This is great! There may be light at the end of the tunnel... Quote Link to comment Share on other sites More sharing options...
Guest OldHarry77 Posted April 22, 2006 Report Share Posted April 22, 2006 OldHarry77: If you're wondering why the line in the apache config is commented, it's just because when I tried it, nothing changed, so I commented it out again to leave the server as it was until I can figure out something else to try... I will look into the "require" as you said in #1 of your first post. It was your command to create the .htpasswd file that concerned me. You wrote that you <quote>...tried running the following command from the web_site directory: CODE #htpasswd -c access/.htpasswd <unquote> My experience with apache is limited to a few exercises in a Linux course. We were told to avoid putting the password file in the web_site directory or one of it's subdirectories, and in fact we put it in the Server root set by the ServerRoot directive. If you do that and put your Auth... directives in your main configuration file rather than in .htaccess files, you won't need the code that tries to prevent users from messing with .ht* files in your web_site directories. Simpler is often sounder. Quote Link to comment Share on other sites More sharing options...
static Posted April 24, 2006 Author Report Share Posted April 24, 2006 Good point about the path - my coworker had put it there for some reason; I'm with you on that. As far as the commenting out of that command, I included the console prompt # (as opposed to $) to show I was root, not a user. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.