.htaccess/.htpasswd Help please
Results 1 to 5 of 5

Thread: .htaccess/.htpasswd Help please

  1. #1
    AO Part Timer
    Join Date
    Feb 2003
    Posts
    332

    .htaccess/.htpasswd Help please

    This is what I have done thus far. I am still ending up empty. Without my login protection. I am trying to protect a configuration tool. It is located in my modify folder

    I created two files.

    htaccess.txt
    AuthName "Webmaster Login"
    AuthType Basic
    AuthUserFile /var/www/dopey/cart/items/modify/.htpasswd
    require valid-user

    htpasswd.txt
    dopeydadwarf:jbdxOuS0bcmRA
    ( no i didn't use my password in this example )

    after upload I changed them to .htaccess/.htpasswd respectivly.

    I placed .htaccess into the modify dir.
    I placed .htpasswd into the cart dir. I guessed on this one...where exactly should it go? Should it go deeper into the dir's

    I found root via <?php echo $DOCUMENT_ROOT ?>
    then the dir's are up from there.

    password via http://tools.blueyonder.co.uk/

    Any help would be greatly appreciated. Any help on common pitfalls is also appreciated.

    P.S. I am learning php and administrating a site hosted on a *nix based server.

  2. #2
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    You said you placed .htpasswd in the cart directory. Look at your .htaccess again

    AuthName "Webmaster Login"
    AuthType Basic
    AuthUserFile /var/www/dopey/cart/items/modify/.htpasswd
    require valid-user
    You are telling .htaccess too look in the modify directory for .htpasswd. This is part of your problem. I have limited knowledge of .htaccess/.htpasswd, I use it quite seldom, however give that a try.. because it's definately part of your problem.. the AuthUserFile must line up with where .htpassword actually is.
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  3. #3
    AO Part Timer
    Join Date
    Feb 2003
    Posts
    332
    HTRegz

    Your point is well noted....Thanks for the correction...however it did no good. Perhaps there is just something I am missing on my side....

    Got any other ideas? Perhaps suggestions on other dir passwd protection?

    Thanks all..
    Your heart was talking, not your mind.
    -Tiger Shark

  4. #4
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407
    Wait, you say you created two files "htaccess.txt" and "htpasswd.txt". Aren't those supposed to be .htaccess and .htpasswd. I have a different setup, but I use a .htaccess file in the directory I don't want people to visit. I have it point to a file called passwords with no .txt or anything. I set it up using apache documentation on .htaccess. I used a combo of these two links for the setup
    http://httpd.apache.org/docs/howto/htaccess.html
    http://httpd.apache.org/docs/howto/auth.html
    If I remember correctly you also have to edit some of your allow and deny thingies in the httpd.conf file. I have it to where if you access one of the user specific home pages e.g. /~user then you have to have a password. I just used this in the httpd.conf file.
    Code:
    #
    # Control access to UserDir directories.  The following is an example
    # for a site where these directories are restricted to read-only.
    #
    <Directory /home/*/public_html>
        AllowOverride FileInfo AuthConfig Limit Indexes
        Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
        <Limit GET POST OPTIONS PROPFIND>
            Order allow,deny
            Allow from all
        </Limit>
        <LimitExcept GET POST OPTIONS PROPFIND>
            Order deny,allow
            Deny from all
        </LimitExcept>
    </Directory>
    All of that was originally commented out. You will have to do something similar most likely, unless for the main directory the .htaccess works by default. Hope this helps. Good luck.

  5. #5
    Senior Member
    Join Date
    Sep 2003
    Posts
    500
    Here, this guy makes it all nice and simple. Got me working
    You can password protect content in both the main and sub-directories of your DocumentRoot fairly easily. I know of cases where persons will allow normal access to their regular web pages, but require passwords for directories / pages that show MRTG or Webalizer data. In this example we'll show how to password protect the /var/www/html directory.

    · Apache has a password utility called "htpasswd" which can create "username password" combinations independent of your system login password for web page access. You have to specify the location of the password file, and if it doesn't yet exist, you'll have to include a "-c" or "create" switch on the command line. I recommend placing the file in your /etc/httpd/conf directory, away from the DocumentRoot tree where web users could possibly view it. Here is an example for a first user named "peter" and a second named "paul":



    [root@bigboy tmp]# htpasswd -c /etc/httpd/conf/.htpasswd peter
    New password:
    Re-type new password:
    Adding password for user peter
    [root@bigboy tmp]#



    [root@bigboy tmp]# htpasswd /etc/httpd/conf/.htpasswd paul
    New password:
    Re-type new password:
    Adding password for user paul
    [root@bigboy tmp]#



    · Make the .htpasswd file readable by all users.



    [root@bigboy tmp]# chmod 644 /etc/httpd/conf/.htpasswd



    · Create a .htaccess file in the directory to which you want password control with the following entries. Remember this will password protect this directory and all its sub directories.



    AuthUserFile /etc/httpd/conf/.htpasswd
    AuthGroupFile /dev/null
    AuthName EnterPassword
    AuthType Basic
    require user peter


    · The AuthUserFile tells Apache to use the “.htpasswd” file

    · The "require user" tells Apache that only user "peter" in the “.htpasswd” file should have access. If you wanted all “.htpasswd” users to have access then you'd replace this line with require valid-user

    · "AuthType Basic" instructs Apache to accept basic unencrypted passwords from the remote users web browser.



    · Set the correct file protections on your new .htaccess file in the directory /var/www/html.



    [root@bigboy tmp]# chmod 644 /var/www/html/.htaccess



    · Make sure your /etc/httpd/conf/http.conf file has an AllowOverride statement in a <Directory> directive for any directory in the tree above /var/www/html. In the example below, we want all directories below /var/www/ to require password authorization.



    <Directory /var/www/html/*>
    AllowOverride AuthConfig
    </Directory>



    · You must also ensure that you have a <VirtualHost> directive that defines access to /var/www/html or another directory higher up in the tree.

    <VirtualHost *>
    ServerName 97.158.253.26
    DocumentRoot /var/www/html
    </VirtualHost>


    · Restart Apache. Try accessing the web site and you'll be prompted for a password.
    taken from http://www.siliconvalleyccie.com/lin...pachebasic.htm
    You shall no longer take things at second or third hand,
    nor look through the eyes of the dead...You shall listen to all
    sides and filter them for your self.
    -Walt Whitman-

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •