Securing Directory in Apache

Securing Directory in Apache

Post by » Wed, 06 Mar 2002 12:27:41



I apologize for doing this but I couldn't find an apache newsgroup so I'm
posting here.

How do I secure a folder in Apache so that a user will get a login/password
prompt when accessing a specified folder?  I followed the instruction in the
documentation at http://httpd.apache.org/docs/howto/auth.html#basicworks :

1. creating a password file using the 'htpasswd.exe' command
2. Set the configuration to use this password file:
    I added the lines below in the 'access.conf' or 'htaccess.conf' file
under the specified
folder
*****
AuthType Basic
AuthName "By Invitation Only"
AuthUserFile /usr/local/apache/passwd/passwords
Require user rbowen sungo
*****

I then tried accessing the folder and i can access it without the
login/password prompt.  Any ideas?

Thanks in advance,

-Ray

 
 
 

Securing Directory in Apache

Post by Rich Bowe » Wed, 06 Mar 2002 20:51:27



Quote:> I apologize for doing this but I couldn't find an apache newsgroup so I'm
> posting here.

> How do I secure a folder in Apache so that a user will get a login/password
> prompt when accessing a specified folder?  I followed the instruction in the
> documentation at http://httpd.apache.org/docs/howto/auth.html#basicworks :

> 1. creating a password file using the 'htpasswd.exe' command
> 2. Set the configuration to use this password file:
>     I added the lines below in the 'access.conf' or 'htaccess.conf' file
> under the specified
> folder
> *****
> AuthType Basic
> AuthName "By Invitation Only"
> AuthUserFile /usr/local/apache/passwd/passwords
> Require user rbowen sungo
> *****

> I then tried accessing the folder and i can access it without the
> login/password prompt.  Any ideas?

Several.

First, your statement that you added it "in the 'access.conf' or
'htaccess.conf' file" is a little vague. Make sure that you are adding
it to the right file. If it is not in the right file, Apache will not
know to use it as a configuration file.

Second, if you are indeed adding it to a .htaccess file (or whatever you
hvae called it in your AccessFile directive) make sure that you have
"AllowOverride AuthConfig" set for the directory in question, or the
file will not be permitted to override any settings relating to
authentication.

And, of course, once you have it working, make sure that you list valid
users that actually have passwords. The user names 'rbowen' and 'sungo'
are not special in any way. Well, that is, I think they are special, but
they won't do you much good. ;-)

--

ApacheAdmin.com

 
 
 

Securing Directory in Apache

Post by » Thu, 07 Mar 2002 02:04:10


Quote:> Second, if you are indeed adding it to a .htaccess file (or whatever you
> hvae called it in your AccessFile directive) make sure that you have
> "AllowOverride AuthConfig" set for the directory in question, or the
> file will not be permitted to override any settings relating to
> authentication.

I added the lines:

<Directory "C:/Program Files/Apache Group/Apache/htdocs/wwwroot/rf3labsDev">
    AllowOverride AuthConfig
</Directory>

in my httpd.conf file.  I restarded the apache service and it is still not
working.  Can you send me an example of what and where I should add lines
to?  Thank you for you help.

-Ray



> > I apologize for doing this but I couldn't find an apache newsgroup so
I'm
> > posting here.

> > How do I secure a folder in Apache so that a user will get a
login/password
> > prompt when accessing a specified folder?  I followed the instruction in
the
> > documentation at http://httpd.apache.org/docs/howto/auth.html#basicworks
:

> > 1. creating a password file using the 'htpasswd.exe' command
> > 2. Set the configuration to use this password file:
> >     I added the lines below in the 'access.conf' or 'htaccess.conf' file
> > under the specified
> > folder
> > *****
> > AuthType Basic
> > AuthName "By Invitation Only"
> > AuthUserFile /usr/local/apache/passwd/passwords
> > Require user rbowen sungo
> > *****

> > I then tried accessing the folder and i can access it without the
> > login/password prompt.  Any ideas?

> Several.

> First, your statement that you added it "in the 'access.conf' or
> 'htaccess.conf' file" is a little vague. Make sure that you are adding
> it to the right file. If it is not in the right file, Apache will not
> know to use it as a configuration file.

> Second, if you are indeed adding it to a .htaccess file (or whatever you
> hvae called it in your AccessFile directive) make sure that you have
> "AllowOverride AuthConfig" set for the directory in question, or the
> file will not be permitted to override any settings relating to
> authentication.

> And, of course, once you have it working, make sure that you list valid
> users that actually have passwords. The user names 'rbowen' and 'sungo'
> are not special in any way. Well, that is, I think they are special, but
> they won't do you much good. ;-)

> --

> ApacheAdmin.com

 
 
 

Securing Directory in Apache

Post by Raghavendra Holl » Fri, 08 Mar 2002 01:16:45


Did You create .htaccess file under 'hide' directory containing 'require
user' directive?

rgds,
-holla.

 
 
 

Securing Directory in Apache

Post by » Fri, 08 Mar 2002 02:41:09


Yes.  Here's what i have on my .htaccess file:

AuthType Basic
AuthName "By Invitation Only"
AuthUserFile /Program Files/Apache Group/Apache/bin/RayTest
Require RayTest

And here's my httpd.conf file:

<Directory "C:/Program Files/Apache Group/Apache/htdocs/wwwroot/test">
    AllowOverride AuthConfig
    require RayTest

</Directory>

When i added the 'require RayTest' line I get the error:

Internal Server Error
The server encountered an internal error or misconfiguration and was unable
to complete your request.

the time the error occurred, and anything you might have done that may have
caused the error.

More information about this error may be available in the server error log.

----------------------------------------------------------------------------
----

Apache/1.3.14 Server at 127.0.0.1 Port 80

Thanks for your help,

-Ray


Quote:> Did You create .htaccess file under 'hide' directory containing 'require
> user' directive?

> rgds,
> -holla.

 
 
 

Securing Directory in Apache

Post by Dave Patt » Fri, 08 Mar 2002 02:53:06




>Yes.  Here's what i have on my .htaccess file:

>AuthType Basic
>AuthName "By Invitation Only"
>AuthUserFile /Program Files/Apache Group/Apache/bin/RayTest
>Require RayTest

>And here's my httpd.conf file:

><Directory "C:/Program Files/Apache Group/Apache/htdocs/wwwroot/test">
>    AllowOverride AuthConfig
>    require RayTest

></Directory>

>When i added the 'require RayTest' line I get the error:

>Internal Server Error
>The server encountered an internal error or misconfiguration and was
>unable to complete your request.

>them of the time the error occurred, and anything you might have done
>that may have caused the error.

>More information about this error may be available in the server error
>log.

>-------------------------------------------------------------------------
>--- ----

>Apache/1.3.14 Server at 127.0.0.1 Port 80

>Thanks for your help,

>-Ray



>> Did You create .htaccess file under 'hide' directory containing
>> 'require user' directive?

>> rgds,
>> -holla.

<http://httpd.apache.org/docs-2.0/mod/core.html#require>
Your syntax of the Require directive is invalid.
When the documentation says "valid-user" it means just that,
the string "valid-user", not the name of a valid user.
Try "Require user RayTest".

Dave
------------------------------------------------
To reply via email, edit my email address first.

 
 
 

1. Apache 1.3.3 w/ssl user directory problems in SECURE RH5.2

The main site can be hit fine (ex: site.com/) however the user
directories can not (ex: site.com/~user).
Every time I try to go to the users web pages I get a forbidden error.
It says that I don't have permissiions to look at that file. I have
another 5.2 machine that is not the SSL verion and everything seems to
run fine. Whhat is the problem here?

I have not generated a cirtificate yet or anything like that on the
secure server. The user files are in /home/user/public_html as normal
but I can still only see the main site and not the /~user-space. I tried
to access the userspace with a trailing slash/ too and no luck. Am I
missing something in one of the conf files? I have my DNS name as the
ServerName as usual. What's up here?

Please email me directly.

Thanks for any replies

Art


2. XWindows

3. Apache & Secure Directories

4. no ethxx device

5. Securing web site directories using Apache Server

6. crashme

7. Apache SSL, securing only a certain directory

8. Wierd network problem

9. Secure Secure Secure

10. Apache and INS

11. Apache SSI and <Directory> vs <Directory Match>

12. apache 1.3.1;aix4.3;Expected </Directory> but saw </Directory>

13. FTP Server Secured logins and home directory