0

I've got a path in my domain which needs apache to prompt for a password. I'll be using the .htaccess file to do this, so I can protect or unprotect by adding or removing the file.

I need a place to store the password file created by htpasswd. There are a few requirements.

The apache process can access it to do the authentication. It is outside the document root for better security. It doesn't require changing permissions of plesk created directories. (Optionally) it exists somewhere where the owner of the domain can write to it.

This question assumes Plesk 8.6 and that normal Plesk conventions are followed.

Is there a recommended location?

Mnebuerquo
  • 234
  • 2
  • 6
  • 15

2 Answers2

0

I usually place it in /etc/httpd/ if it's used by multiple vhosts, if only used by one domain then one dir above the webroot would do as well. You can place it in the webroot as well just make sure there's a rule denying access to files with it's naming convention(usually in place by default):

<Files ~ "^\.ht">
  Order allow,deny
  Deny from all
</Files>
CarpeNoctem
  • 2,437
  • 4
  • 23
  • 32
0

I placed it in /cgi-bin. It doesnt seem like it would belong there, BUT it satisfies all of your conditions:

The apache process can access it to do the authentication It is outside the document root for better security It doesn't require changing permissions of plesk created directories. It exists somewhere where the owner of the domain can write to it.

Gaia
  • 1,855
  • 5
  • 34
  • 60
  • If I also have cgi enabled for the domain, could the passwd file be read over the web? – Mnebuerquo Feb 12 '10 at 17:29
  • Try to read it - type in the address where you put it. Note that you should use the htaccess rule described in CarpeNoctem's regardless of the result of your test. – Gaia Apr 22 '10 at 14:28