Troubleshooting Apache .htaccess Authentication

Apache Web Server users sometimes have problems getting Apache Authentication/password-protection in htaccess working, this is a troubleshooting guide to get Password Protection working!

Table of Contents

• Troubleshooting Apache .htaccess Authentication
  • Apache Authentication with htaccess intro
  • Checking for needed modules
  • Creating an .htaccess file for password-protection
  • chmod your .htaccess and .htpasswd file
  • Use dos2unix to remove windows/mac style formatting
  • Checking AllowOverride for AuthConfig
  • Create a .htpasswd file online
• Apache htaccess Authentication Glossary

Troubleshooting Apache .htaccess Authentication

Apache Authentication with htaccess intro

You might want to check out my Ultimate Apache htaccess Tutorial. For specific help or to ask questions use the forum.

Apache Documentation: 1.3 | 2.0 | 2.2 | Current

Making sure the needed modules are loaded

Add this to your httpd.conf (if on non-windows) but I would imagine that these are already loaded.

LoadModule access_module lib/modules/mod_access.so
LoadModule auth_module lib/modules/mod_auth.so
LoadModule auth_anon_module lib/modules/mod_auth_anon.so
LoadModule auth_dbm_module lib/modules/mod_auth_dbm.so
LoadModule auth_digest_module lib/modules/mod_auth_digest.so

Creating an .htaccess file for password-protection

Add a .htaccess file in the directory you want to protect with the following code.

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /path/to/htpwd/.htpasswd
Require valid-user

chmod your .htaccess and .htpasswd file

chmod your .htpasswd files 640, .htaccess files 644 chmod php files 600, chmod files that you really dont want people to see as 400 (wp-config.php) and NEVER chmod 777, if something requires write access use 766 or 775

CHMOD your .htaccess file 644 which translates to rw-r-r

chmod your .htpasswd file 640 (rw-r--)

$ chmod 644 .htaccess
$ chmod 640 .htpasswd

Remove windows/mac style formatting from .htaccess/.htpasswd files

If you are on linux/bsd then goto a shell and cd into the directory that the .htaccess/.htpasswd file is located in and type the following commands to get rid of any windows formatting, which is oftentimes the problem.

$ dos2unix -dv .htaccess
$ dos2unix -dv .htpasswd

Checking httpd.conf for 'AllowOverride AuthConfig'

Make sure that in your httpd.conf file in the code for your docroot or public_html directory you see at least the following after the AllowOverride directive:

AllowOverride AuthConfig

Create a .htpasswd file online

Once you see a password prompt then you can use this online htpasswd generator for your .htpasswd file.

Apache htaccess Authentication Glossary

Access Control

The restriction of access to network realms. In an Apache context usually the restriction of access to certain URLs. See: Authentication, Authorization, and Access Control

Authentication

The positive identification of a network entity such as a server, a client, or a user. See: Authentication, Authorization, and Access Control

Certificate

A data record used for authenticating network entities such as a server or a client. A certificate contains X.509 information pieces about its owner (called the subject) and the signing -> Certification Authority (called the issuer), plus the owner's -> public key and the signature made by the CA. Network entities verify these signatures using CA certificates. See: SSL/TLS Encryption

Cipher

An algorithm or system for data encryption. Examples are DES, IDEA, RC4, etc. See: SSL/TLS Encryption

Ciphertext

The result after -> Plaintext is passed through a -> Cipher. See: SSL/TLS Encryption

Configuration Directive

See: -> Directive

Configuration File

A text file containing -> Directives that control the configuration of Apache. See: Configuration Files

Context

An area in the -> configuration files where certain types of -> directives are allowed. See: Terms Used to Describe Apache Directives

Directive

A configuration command that controls one or more aspects of Apache's behavior. Directives are placed in the -> Configuration File See: Directive Index

Dynamic Shared Object (DSO)

-> Modules compiled separately from the Apache httpd binary that can be loaded on-demand. See: Dynamic Shared Object Support

Hash

A mathematical one-way, irreversable algorithm generating a string with fixed-length from another string of any length. Different input strings will usually produce different hashes (depending on the hash function).

.htaccess

A -> configuration file that is placed inside the web tree and applies configuration -> directives to the directory where it is placed and all sub-directories. Despite its name, this file can hold almost any type of directive, not just access-control directives. See: Configuration Files

httpd.conf

The main Apache -> configuration file. The default location is /usr/local/apache2/conf/httpd.conf, but it may be moved using run-time or compile-time configuration. See: Configuration Files

Method

In the context of -> HTTP, an action to perform on a resource, specified on the request line by the client. Some of the methods available in HTTP are GET, POST, and PUT.

Message Digest

A hash of a message, which can be used to verify that the contents of the message have not been altered in transit. See: SSL/TLS Encryption

Module

An independent part of a program. Much of Apache's functionality is contained in modules that you can choose to include or exclude. Modules that are compiled into the Apache httpd binary are called static modules, while modules that are stored separately and can be optionally loaded at run-time are called dynamic modules or -> DSOs. Modules that are included by default are called base modules. Many modules are available for Apache that are not distributed as part of the Apache HTTP Server -> tarball. These are referred to as third-party modules. See: Module Index

Pass Phrase

The word or phrase that protects private key files. It prevents unauthorized users from encrypting them. Usually it's just the secret encryption/decryption key used for -> Ciphers. See: SSL/TLS Encryption

Plaintext

The unencrypted text.

Proxy

An intermediate server that sits between the client and the origin server. It accepts requests from clients, transmits those requests on to the origin server, and then returns the response from the origin server to the client. If several clients request the same content, the proxy can deliver that content from its cache, rather than requesting it from the origin server each time, thereby reducing response time. See: mod_proxy

Secure Sockets Layer (SSL)

A protocol created by Netscape Communications Corporation for general communication authentication and encryption over TCP/IP networks. The most popular usage is HTTPS, i.e. the HyperText Transfer Protocol (HTTP) over SSL. See: SSL/TLS Encryption

Symmetric Cryptography

The study and application of Ciphers that use a single secret key for both encryption and decryption operations. See: SSL/TLS Encryption

Transport Layer Security (TLS)

The successor protocol to SSL, created by the Internet Engineering Task Force (IETF) for general communication authentication and encryption over TCP/IP networks. TLS version 1 and is nearly identical with SSL version 3. See: SSL/TLS Encryption

Uniform Resource Locator (URL)

The name/address of a resource on the Internet. This is the common informal term for what is formally called a -> Uniform Resource Identifier. URLs are usually made up of a scheme, like http or https, a hostname, and a path. A URL for this page is /aa/docs/2.0/glossary.html.

Uniform Resource Identifier (URI)

A compact string of characters for identifying an abstract or physical resource. It is formally defined by RFC 2396. URIs used on the world-wide web are commonly referred to as -> URLs.

client

A program that establishes connections for the purpose of sending requests.

user agent

The client which initiates a request. These are often browsers, editors, spiders (web-traversing robots), or other end user tools.

server

An application program that accepts connections in order to service requests by sending back responses. Any given program may be capable of being both a client and a server; our use of these terms refers only to the role being performed by the program for a particular connection, rather than to the program's capabilities in general. Likewise, any server may act as an origin server, proxy, gateway, or tunnel, switching behavior based on the nature of each request.