Apache .htaccess and .htpasswd doesn't ask for password in Django site

Question

I have a Django site with mod_wsgi configured, using Apache 2.4 as web server.

Virtual Host:

<VirtualHost *:80>
    ServerName site.com 
    ServerAlias site.com
    ServerAdmin example@example.com

    DocumentRoot /var/www/site

    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>

    Alias /media/ /var/www/site/media
    Alias /static/ /var/www/site/static

    <Directory /var/www/site>
        Require all granted
        AllowOverride All
    </Directory>

    WSGIScriptAlias / /var/www/site/nep/wsgi.py

    ErrorLog /var/log/apache2/site/error.log
    CustomLog /var/log/apache2/site/access.log combined

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

</VirtualHost>

I have the files .htaccess and .htpasswd in /var/www/site.

.htaccess content:

AuthType Basic
AuthName "Portal Dev Environment, restricted content"
AuthUserFile /var/www/site/.htpasswd
Require valid-user

I have searched all possible solutions for the problem, but can't find one.

Is there a misconfiguration in Virtual Host that is preventing .htaccess/.htpasswd to work?

Try this: [Very simple way of password protecting django app on OpenShift](https://stackoverflow.com/questions/24594968/very-simple-way-of-password-protecting-django-app-on-openshift) — Hayden, Nov 01 '17 at 11:37
_Aside:_ Reagrding your `Alias` directives... you've included a trailing slash on the URL-path, but omitted this on the file-path - is that intentional? (It looks like an error). However, those `Alias` directives look superfluous in the example you've posted? — MrWhite, Nov 01 '17 at 12:42
Thanks for comment @MrWhite. In fact I'm a web developer and not properly a sysadmin. What you're saying may make sense, but it's not related to my specific problem: accessing the site does not pop up the authentication dialog box. — Caco, Nov 01 '17 at 14:50

score 0 · Answer 1 · answered Jan 08 '23 at 18:21

I had the same issue and came upon this question. For me, the solution was that some Require all granted directives for the Django-powered section of my site were overriding the Require valid-user directive for the site root. Something like:

<VirtualHost *:443>
    [...]
    
    # Other directives here
    ErrorLog ${APACHE_LOG_DIR}/error.log
    <Directory "/var/www/html">
        AuthType Basic
        AuthName "Please enter password"
        AuthUserFile /path/2/passwd/file
        Require valid-user
    </Directory>

    #for django
    Alias /app/static /var/www/html/app/static
    <Directory /var/www/html/app/static>
        Require all granted
    </Directory>

    <Directory /var/www/html/site>
       <Files wsgi.py>
            Require all granted
       </Files>
    </Directory>
    [...]
</VirtualHost>

I originally used the Require all granted directives to ensure Apache had access to the WSGI server and static files to serve the Django site. It turns out that it works just fine if you change those two directives each to Require valid-user, and then the authentication dialog box pops up as it does on all the other non-Django-powered pages on my site. Sure enough Caco has a Require all granted directive in their vHost configration, above.

^{I don't use a .htaccess file, my access control configuration is only in the vHost config file, but this shouldn't make a difference.}

Apache .htaccess and .htpasswd doesn't ask for password in Django site

1 Answers1