.htaccess does not ask the password

Question

I am using Ubuntu 12.04 and trying to use .htaccess on a page with apache2 server on it. My .htaccess file looks like this:

AuthType Basic
AuthName "Password Required"
AuthBasicProvider file
AuthUserFile /home/janeb/.htpasswd
require valid-user

/home/janeb/.htpasswd file is:

inb351:$apr1$Ya4tzYvr$KCs3eyK1O2/c7Q9zRcwn..

and /etc/apache2/sites-available/default file is :

UserDir public_html
<Directory ~ "public_html/.*">
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all  
</Directory>

I restarted apache. I have tried to change require valid-user to require user inb351. Still no luck. I also tried AllowOverride with AuthConfig and AuthConfig Indexes. So I don't know what else to do, and yes every step that I have tried I restarted apache.

Edit: The exact default file is:

<VirtualHost *:80>
ServerAdmin webmaster@localhost

DocumentRoot /var/www
<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>
<Directory /var/www/>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Order allow,deny
    allow from all
</Directory>
    UserDir disabled vmuser
    UserDir public_html
<Directory ~ "public_html/*">
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
    AllowOverride None
    Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
    Order allow,deny
    Allow from all
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog ${APACHE_LOG_DIR}/access.log combined

Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
    Options Indexes MultiViews FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all
    Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>

Just enable it with "a2enmod auth_basic" if it wasn't then it will enable it. — Stone, Sep 14 '12 at 09:37

Shane Madden · Accepted Answer · 2012-09-19T00:30:40.027

12

I suspect that the apache user isn't capable of reading /home/janeb/.htpasswd. Check Apache's error log.

That's the only thing I see wrong in the config that's provided, but that might not be the only problem; please provide your full virtual host config. I'd also recommend that you move the authentication config out of the .htaccess file - there's no reason for it to be there.

EDIT:

The reason the .htaccess file isn't being applied is because AllowOverride All isn't being applied to the path where your .htaccess file resides.

The .htaccess file needs to be applied at the same time as the <Directory> blocks - if AllowOverride is specified in a <Directory ~ ...> block then it happens after .htaccess should have been applied. Since that doesn't work, the documentation specifically warns against it:

AllowOverride is valid only in <Directory> sections specified without regular expressions, not in <Location>, <DirectoryMatch> or <Files> sections.

Add a new block to your config to allow your .htaccess files to be used:

<Directory /home>
    AllowOverride All
</Directory>

edited Sep 19 '12 at 00:30

answered Sep 15 '12 at 08:03

Shane Madden

114,520
13
181
251

I actually found out that I have an error message like this: [Mon Sep 17 19:20:16 2012] [error] [client 127.0.0.1] client denied by server configuration: /home/janeb/public_html/.htaccess However, I got this error message when I actually tried to access it on a browser by attempting to enter http://localhost/~janeb/.htaccess Other than this error, I only have two of these entries "[Mon Sep 17 19:18:40 2012] [notice] caught SIGTERM, shutting down [Mon Sep 17 19:18:42 2012] [notice] Apache/2.2.22 (Ubuntu) configured -- resuming normal operations " – Sarp Kaya Sep 17 '12 at 09:27
@SarpKaya So your `DocumentRoot` (or a reference of an `Alias`) is `/home/janeb/public_html/`? Your vhost file has no reference to that location; do you know how that's been configured? Or are you accessing the mod_userdir path of `/~janeb`? Can you check what the permissions look like on `/home/janeb` as well as `/home/janeb/.htpasswd`? – Shane Madden Sep 17 '12 at 14:40
yes I am accessing on it through localhost/~janeb, htpasswd is 0644 – Sarp Kaya Sep 17 '12 at 16:19
@SarpKaya Is the password prompt coming up when you try to access a page? And what response code does your browser get when the page load doesn't work? Anyway, let's rule out any other cause; try commenting out the `Require valid-user` line in your `.htaccess` and verify that requests are being allowed immediately? – Shane Madden Sep 17 '12 at 17:25
Shane, That is the problem. It does not ask password when you try to access the page. It just loads the page up. And also I've just tried that, did not work. – Sarp Kaya Sep 18 '12 at 18:45
@SarpKaya Ah! Took a closer look at your config and found the problem. Edited my answer with the solution. – Shane Madden Sep 19 '12 at 00:31
Where is apaches error log? – Soerendip Sep 28 '18 at 22:43

score 3 · Answer 2 · answered Sep 14 '12 at 09:36

3

By the looks of your config you likely need to put your .htaccess file under the /home/janeb/public_html directory which is the DocumentRoot if I'm not wrong.

answered Sep 14 '12 at 09:36

Logic Wreck

1,420
9
8

Just tried this method as well. Did not work... – Sarp Kaya Sep 14 '12 at 09:52

score 3 · Answer 3 · answered Sep 15 '12 at 21:40

3

What are you trying to do exactly?

In your vhost declaration ...

order allow,deny
allow from all

You've already stated that everyone should have access ... this would mean your following .htpasswd is irrelevant, as its taking precedence.

Instead, remove that code, and in your .htaccess all you need is ...

AuthType Basic
AuthName "Password Required"
AuthUserFile /home/janeb/.htpasswd
Require valid-user

The .htpasswd file can be anywhere on the server as long as its readable by whoever Apache runs as (typically www-data).

If you want to combine IP restriction and .htpasswd restriction, then you can also use ..

order deny,allow
deny from all
allow from 192.168.0.10

AuthType Basic
AuthName "Password Required"
AuthUserFile /home/janeb/.htpasswd
Require valid-user

Satisfy Any

answered Sep 15 '12 at 21:40

Ben Lessani

5,244
17
37

Hello, I do not need any IP restrictions. So I've done as you've told me and got rid off `order allow,deny allow from all ` part, however It still does not ask password... – Sarp Kaya Sep 17 '12 at 09:22
Then in that case, its either than the `.htpasswd` cannot be read by whoever Apache runs as (as I said above), or that your `vhost` configuration is matching on another directory statement. Change all the `AllowOverride None` to `AllowOverride All` - one by one, and restart Apache between each change. Then you'll see where its going wrong. – Ben Lessani Sep 17 '12 at 10:04
"this would mean your following `.htpasswd` is irrelevant, as its taking precedence." Hmm? That would only be with `Satisfy Any` set, which I don't see anywhere in the provided config. – Shane Madden Sep 17 '12 at 14:41
Theory says so - but I gave the code a test on a lab machine and it produces the results I described. – Ben Lessani Sep 17 '12 at 14:57
sonassi, as you can check it is already All for public_html... – Sarp Kaya Sep 17 '12 at 16:20
@sonassi Then you had `Satisfy Any` set. The entire point of `Satisfy All` is so that both `Allow`/`Deny` rules as well as other authorization modules must all allow a request. – Shane Madden Sep 17 '12 at 17:24
@ShaneMadden - 'fraid not - there was no `Satisfy` declaration. I understand the point and theory of the arguments - but as I said, I tested the exact config on a lab machine as the results described are what I found. Test it for yourself? – Ben Lessani Sep 17 '12 at 18:01
@sonassi Happy to. http://i.stack.imgur.com/phovU.png That config responds to every request with a `401`, as it should; `curl http://localhost -I` -> `HTTP/1.1 401 Authorization Required` Make sure you don't have a `Satisfy Any` in a more general scope, like your main config. – Shane Madden Sep 17 '12 at 18:25
@ShaneMadden Try again with the same config he described. Allow/deny in the ghost config, allow override all, and the htpasswd author in a htaccess. – Ben Lessani Sep 18 '12 at 07:35
@sonassi Done, same result: http://i.stack.imgur.com/DDBSn.png Can you clarify what you're doing different that's giving you a different result? – Shane Madden Sep 19 '12 at 00:10

score 0 · Answer 4 · edited Mar 26 '13 at 11:58

0

I got here with the same problem. Turns out the public_html definition inherits from the server's top level (<Directory />) settings, and it contained AllowOverride None. Changing this to All (or AuthConfig) did the trick.

edited Mar 26 '13 at 11:58

Kenny Rasschaert

9,045
3
42
58

answered Mar 26 '13 at 11:34

Ketil

1

.htaccess does not ask the password

4 Answers4