.htaccess troubles

[Euclid]

Well I finally installed phpMyAdmin. I have been using my shell all along and decided I would set it up so I did. Works like a dream, very easy to install... Very nice.. I am glad I did as I went to check user privlages and found that there were 2 users that I didnt know about

User Password
------- --------------
Any None
Any None

So I got those outta there....

Anyways I need to password protect this so I was making an .htaccess file and it dont work... Can someone look at this and tell me what I am doing wrong.

Ok I cd to the phpMyAdmin directory
pico .htaccess

Then add

AuthType Basic
AuthUserFile .htpasswd
AuthName phpMyAdmin
require user euclid

Then Save and close...

I then make the .htpasswd file, So i type

htpasswd -c .htpasswd euclid <enter>
mypassword <enter>
mypassword <enter>

I then open browser to directory and it comes right up .. No PW prompt.... Can someone help

[nebulus200]

Not really sure what you are using, but a couple of thoughts:

-- If it is apache and this isn't directory covered by the httpd.conf or access.conf, then make sure that the directory is setup to allow a .htaccess file (it has to be explicitly setup).

-- You might want to consider changing the 'require use euclied' to 'require valid-user' in case you want to allow someone else access. then won't have to give your password, but that is just something to consider.

-- Make sure you setup your configuration to deny access to the .htaccess and .htpasswd files.
(You'd be amazed how many people forget or don't do that)

-- Make sure you close your browser and reopen it when you test. They are particularly bad about caching authorization/pages and won't request authorization if they already have it chached.

-- You might could also consider restricting access by addresses if possible.

My suspicion is that you haven't allowed a subdirectory to use .htaccess...

This section of httpd.conf comes to mind:

# This controls which options the .htaccess files in directories can
# override. Can also be "All", or any combination of "Options", "FileInfo",
# "AuthConfig", and "Limit"
#
# AllowOverride None

/nebulus

[Euclid]

I always seem to leave something out. Yes I am using apache.

Anyways I got it so that the password prompt comes up but for some reason will not accept my password

[Euclid]

Anyone have any idea why this wont accept my password?

[netart4u]

Dunno the specifics in this instance, but it seems to me that you would need to do 1 of 2 things.. either map the access permissions to actual user accounts (and passwords) on the box, or provide a username/password combo (not 2 passwords).

[nebulus200]

Make sure whatever user you are running the daemon (apache) as (for example nobody), that it has read permission to your user file.

/nebulus

[micael]

I have a setup similiar to this

httpd.conf, example

Code:

<Directory "/path/to/directory/to/protect/">
    Options Indexes FollowSymLinks MultiViews ExecCGI Includes
    AllowOverride AuthConfig
    Order allow,deny
    Allow from all

    AuthUserFile /path/to/directory/to/protect/.htpasswd 
    AuthName "Login"
    AuthType Basic

<Limit GET POST>
require valid-user
</Limit>
</Directory>

Im not a pro and this example may be bad but I use a similiar setup myself (it works) and if someone can add best-practise-knowledge would I be more then happy.

(You may also want to change the "Options" line to suit you better then in my example).

If you add these lines above to the httpd.conf then you will not need to create the .htaccess file. But I added a example below just incase you not have access to the httpd.conf.

One thing: Its not good practice to have the .htpasswd file in the directory you want to protect (like in the example) but sometimes you don't have access to a directory outside the http/web-directory, if possible store the .htpasswd file at another location not direct accessible for visitors.

.htpasswd, example

Generate the pasword file with 'htpasswd', sometimes has it failed for me to create it direct were I want it, so I had to create it first and then cp or mv it to the correct location.

.htpaccess, example

Code:

AuthUserFile /path/to/directory/to/protect/.htpasswd
AuthName "Login"
AuthType Basic

<Limit GET POST>
require valid-user
</Limit>

Hope this will be to any help.

~micael

[nebulus200]

It is generally not good practice to put that user file in the same directory; however, if you have the following statements in your httpd.conf, you should be ok, at least from the web page side of things:

Code:

<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</Files>

I think your problem is probably that you are running your httpd as a user such as nobody or noaccess or some other non-privelaged user (which you should be doing) and that your password file is probably mod 700, owned by root (or maybe your user). Either change the ownership of the file to be owned by the user running the daemon, or put that user in a group and then give group access to the file (read), or make it have other read access. I do highly recommend you have the above statement to deny access to the file, and I also recommend placing the file in a location that the daemon can read the file, but that the web page wouldn't be able to access.

/nebulus

[micael]

I did not mention this since in all Apache installations I have done is these lines there by default. But it may be worth check out that these lines really are there, just to be safe (or if you want to change the name(s) to something less obvious then .hta**).

~micael

[binhnx2000]

Don`t forget set Permission for .htpasswd and .htpasswd

root@localhost#: chmod 700 xxxx