.htaccess troubles
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: .htaccess troubles

  1. #1
    Senior Member
    Join Date
    Dec 2001
    Posts
    304

    .htaccess troubles

    Well I finally installed phpMyAdmin. I have been using my shell all along and decided I would set it up so I did. Works like a dream, very easy to install... Very nice.. I am glad I did as I went to check user privlages and found that there were 2 users that I didnt know about

    User Password
    ------- --------------
    Any None
    Any None

    So I got those outta there....

    Anyways I need to password protect this so I was making an .htaccess file and it dont work... Can someone look at this and tell me what I am doing wrong.

    Ok I cd to the phpMyAdmin directory
    pico .htaccess

    Then add

    AuthType Basic
    AuthUserFile .htpasswd
    AuthName phpMyAdmin
    require user euclid

    Then Save and close...

    I then make the .htpasswd file, So i type

    htpasswd -c .htpasswd euclid <enter>
    mypassword <enter>
    mypassword <enter>

    I then open browser to directory and it comes right up .. No PW prompt.... Can someone help
    Violence breeds violence
    we need a world court
    not a republican with his hands covered in oil and military hardware lecturing us on world security!

  2. #2
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Not really sure what you are using, but a couple of thoughts:

    -- If it is apache and this isn't directory covered by the httpd.conf or access.conf, then make sure that the directory is setup to allow a .htaccess file (it has to be explicitly setup).

    -- You might want to consider changing the 'require use euclied' to 'require valid-user' in case you want to allow someone else access. then won't have to give your password, but that is just something to consider.

    -- Make sure you setup your configuration to deny access to the .htaccess and .htpasswd files.
    (You'd be amazed how many people forget or don't do that)

    -- Make sure you close your browser and reopen it when you test. They are particularly bad about caching authorization/pages and won't request authorization if they already have it chached.

    -- You might could also consider restricting access by addresses if possible.

    My suspicion is that you haven't allowed a subdirectory to use .htaccess...

    This section of httpd.conf comes to mind:

    # This controls which options the .htaccess files in directories can
    # override. Can also be "All", or any combination of "Options", "FileInfo",
    # "AuthConfig", and "Limit"
    #
    # AllowOverride None
    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  3. #3
    Senior Member
    Join Date
    Dec 2001
    Posts
    304
    I always seem to leave something out. Yes I am using apache.

    Anyways I got it so that the password prompt comes up but for some reason will not accept my password
    Violence breeds violence
    we need a world court
    not a republican with his hands covered in oil and military hardware lecturing us on world security!

  4. #4
    Senior Member
    Join Date
    Dec 2001
    Posts
    304
    Anyone have any idea why this wont accept my password?
    Violence breeds violence
    we need a world court
    not a republican with his hands covered in oil and military hardware lecturing us on world security!

  5. #5
    Junior Member
    Join Date
    Apr 2003
    Posts
    4
    Dunno the specifics in this instance, but it seems to me that you would need to do 1 of 2 things.. either map the access permissions to actual user accounts (and passwords) on the box, or provide a username/password combo (not 2 passwords).

  6. #6
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Make sure whatever user you are running the daemon (apache) as (for example nobody), that it has read permission to your user file.

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Posts
    742
    I have a setup similiar to this

    httpd.conf, example

    Code:
    <Directory "/path/to/directory/to/protect/">
        Options Indexes FollowSymLinks MultiViews ExecCGI Includes
        AllowOverride AuthConfig
        Order allow,deny
        Allow from all
    
        AuthUserFile /path/to/directory/to/protect/.htpasswd 
        AuthName "Login"
        AuthType Basic
    
    <Limit GET POST>
    require valid-user
    </Limit>
    </Directory>
    Im not a pro and this example may be bad but I use a similiar setup myself (it works) and if someone can add best-practise-knowledge would I be more then happy.

    (You may also want to change the "Options" line to suit you better then in my example).

    If you add these lines above to the httpd.conf then you will not need to create the .htaccess file. But I added a example below just incase you not have access to the httpd.conf.

    One thing: Its not good practice to have the .htpasswd file in the directory you want to protect (like in the example) but sometimes you don't have access to a directory outside the http/web-directory, if possible store the .htpasswd file at another location not direct accessible for visitors.

    .htpasswd, example

    Generate the pasword file with 'htpasswd', sometimes has it failed for me to create it direct were I want it, so I had to create it first and then cp or mv it to the correct location.

    .htpaccess, example

    Code:
    AuthUserFile /path/to/directory/to/protect/.htpasswd
    AuthName "Login"
    AuthType Basic
    
    <Limit GET POST>
    require valid-user
    </Limit>
    Hope this will be to any help.

    ~micael

  8. #8
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    It is generally not good practice to put that user file in the same directory; however, if you have the following statements in your httpd.conf, you should be ok, at least from the web page side of things:
    Code:
    <Files ~ "^\.ht">
        Order allow,deny
        Deny from all
        Satisfy All
    </Files>
    I think your problem is probably that you are running your httpd as a user such as nobody or noaccess or some other non-privelaged user (which you should be doing) and that your password file is probably mod 700, owned by root (or maybe your user). Either change the ownership of the file to be owned by the user running the daemon, or put that user in a group and then give group access to the file (read), or make it have other read access. I do highly recommend you have the above statement to deny access to the file, and I also recommend placing the file in a location that the daemon can read the file, but that the web page wouldn't be able to access.

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  9. #9
    Senior Member
    Join Date
    Nov 2001
    Posts
    742
    I did not mention this since in all Apache installations I have done is these lines there by default. But it may be worth check out that these lines really are there, just to be safe (or if you want to change the name(s) to something less obvious then .hta**).

    ~micael

  10. #10
    Junior Member
    Join Date
    Apr 2003
    Posts
    2
    Don`t forget set Permission for .htpasswd and .htpasswd

    root@localhost#: chmod 700 xxxx

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •