Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

.htaccess help 2

Status
Not open for further replies.
danomaniac

danomaniac

Programmer
Jan 16, 2002
266
US
After reading through this forum, I can bet most of you are tired of this subject, but alas, it has claimed another hapless victim... me! I have exhausted all options I can think of before advertising on this forum the fact that I can't figure this out. So I humbly ask for help.

My website is being hosted on a Unix server running Apache 1.3.11 server software. I only have ftp access, I can't telnet. From what I've read on the web, it's a simple matter for someone like me to secure a directory using .htaccess but it isn't working out that way.

I’ve managed to create the .htaccess file and placed it in the directory I wish to secure

AuthUserFile /html/cgi-bin/.htpasswd
AuthGroupFile /dev/null
AuthName "Secure Vendor Login"
AuthType Basic

<Limit GET POST PUT>
require valid user
</Limit>

Is the /html directory assumed? Meaning can I just put /cgi-bin/.htpasswd ? The only reason I ask is the /html/ portion of the path does not show up in the browser address window.

Next, in the /html/cgi-bin directory, I place the .htpasswd file

testuser:sxBA1Uq2a1HFk

That’s it. Now, when I try to access a page in the ‘protected’ directory, I get prompted for a username and password, but no matter what I do, it never accepts it.

Since I can’t telnet to the server, I used one of those “Create a password” sites that creates an encrypted password for you. Personally, I don’t see how this could work, but they claim to. Is this the source of my grief?

I’ve also tried putting just a plain word in the .htpasswd file for a password, like testuser:testpassword and tried to log in. Nada.

Am I missing something? What about this httpd.conf file I’ver read so much about? Is that a server-side thing? Or Can I create/modify it from my side?

I've talked with the tech guys that are hosting my site, and either they don't know the answers, or I don't know the questions (I'm pretty sure it's the latter), but I'm no better off after I hang up the phone than before.

Many questions, I know. I’m probably asking to be told in 3 words or less how to do something some people make careers out of, and for that, I apologize.

Thanks very much for any response at all.
 
Sort by date Sort by votes
Hi mate,

Have you tried putting the htpasswd file in the root directory instead and trying that?

Your server should be set up so that any .ht will never be shown to a browser so you can try that and see..

Let me know how you get on..

By the way, the httpd.conf file is the server config and probably it is your host that controls that.. Unless you have a dedicated server etc..

Hope this helps Wullie

 
Upvote 0 Downvote
Hi,



The fact that you know nothing of your httpd.conf makes me suspect that you may be operating within a virtual host on an apache system and, as such you wouldn't see the full picture. Also, the ftp access given is most likely chrooted whereby what appears to you to be the '/' root directory is in reality somewhere lower down the 'real' tree. For example, '/html' may really be '/home/ or suchlike.



From experimenting, I can only get a .htaccess file to work if the AuthUserFile points at the full physical pathname. So, if my suspicions are correct you need to find the real paths.



To do this you can try running the printenv.cgi program that comes with apache and prints out all the environment variables :



#!/usr/bin/perl

##

## printenv -- demo CGI program which just prints its environment

##



print &quot;Content-type: text/plain\n\n&quot;;

foreach $var (sort(keys(%ENV))) {

$val = $ENV{$var};

$val =~ s|\n|\\n|g;

$val =~ s|&quot;|\\&quot;|g;

print &quot;${var}=\&quot;${val}\&quot;\n&quot;;

}





Place that in your cgi-bin directory as 'printenv.cgi' and use the ftp 'chmod' command to make it executable . Then try :

. Hopefully, you should get a page full of apache environment variables wihich should tell you what the real path is to your DocumentRoot . Once you know that you may stand a chance of pointing UserAuthFile at the correct physical location.



Hope this helps
 
Upvote 0 Downvote
Thanks for the replies. Sorry I haven't gotten back before now, stuff to do. Wully, I've tried putting the .htpasswd file in the root with no luck. But after reading ifincham's two bits - it's quite possible my root isn't what it appears to be. Those sneaky devils. Thanks for the script and the advice ifincham - that all sounds reasonable. I will put it to the test tomorrow and let you know how I do.
 
Upvote 0 Downvote
AARRGGHH!!! Still unable to authenticate.

I had no problem running the script – cool utility.

Run from the directory I wish to protect I get:

DOCUMENT_ROOT=&quot;/html&quot;
GATEWAY_INTERFACE=&quot;CGI/1.1&quot;
HTTP_ACCEPT=&quot;*/*&quot;
HTTP_ACCEPT_LANGUAGE=&quot;en-us&quot;
HTTP_HOST=&quot;HTTP_PRAGMA=&quot;no-cache&quot;
HTTP_USER_AGENT=&quot;Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 4.0)&quot;
PATH=&quot;/usr/local/bin:/usr/bin:/bin&quot;
QUERY_STRING=&quot;&quot;
REMOTE_ADDR=&quot;xx.xx.xx.xx&quot;
REMOTE_HOST=&quot;xx.xx.xx.xx.myhost.net&quot;
REMOTE_PORT=&quot;2737&quot;
REQUEST_METHOD=&quot;GET&quot;
REQUEST_URI=&quot;/vendors/vendor1/printenv.cgi&quot;
SCRIPT_FILENAME=&quot;/html/vendors/vendor1/printenv.cgi&quot;
SCRIPT_NAME=&quot;/vendors/vendor1/printenv.cgi&quot;
SERVER_ADDR=&quot;xx.xx.xxx.xxx&quot;
SERVER_ADMIN=&quot;webmaster@mysite.com&quot;
SERVER_NAME=&quot;SERVER_PORT=&quot;80&quot;
SERVER_PROTOCOL=&quot;HTTP/1.0&quot;
SERVER_SOFTWARE=&quot;Apache/1.3.11&quot;

When I run it from my /cgi-bin directory (where the .htpasswd file is) I get the exact same path information. The only difference is the Script_filename shows “/html/cgi-bin/printenv.cgi” .

Now, I changed my .htaccess file to read:
AuthUserFile /usr/local/bin:/usr/bin:/bin/cgi-bin/.htpasswd – Nope
AuthUserFile /usr/local/bin:/usr/bin:/bin/html/cgi-bin/.htpasswd – Nope

Then it occurred to me that certainly I’m not the only site on this server, so I explored my apparent ftp root and looked in the / I found a tree that looked something like this:
/ and then an exact duplicate of my entire site. So then I tried:
AuthUserFile /usr/local/bin:/usr/bin:/bin/ – Nope

I’m at a loss. The fact that I get prompted for a username and password tells me that the .htaccess file is being read, correct? That means that the AuthUserFile directive is pointing somewhere and when I click submit, the .htaccess file is going to wherever looking for a .htpasswd file. Is it possible that my .htpasswd file is being read (Heaven knows I’ve tried a million permutations of pathnames), but the server doesn’t recognize the encryption? I would be much more comfortable if the passwords were generated on the same machine my site is hosted on, because at this point, I have two unknowns: The path, and the validity of the password encryption. How can I troubleshoot if I have two unknowns? I’m beginning to be more confident in my path assessment, so now I’m leaning toward password trouble. Is the encryption the same from machine to machine? Meaning if I have a site like apachepasswords.com generate an encrypted password for me, will it work in my .htpasswd file? I don’t see how it can.
 
Upvote 0 Downvote
Hi mate,

Just ignore the following:

PATH=&quot;/usr/local/bin:/usr/bin:/bin&quot;

That is not your document root, that is the path to perl on the server..

I have just read your first post again and noticed something that I missed to start with...

You have:

AuthUserFile /html/cgi-bin/.htpasswd
AuthGroupFile /dev/null
AuthName &quot;Secure Vendor Login&quot;
AuthType Basic

<Limit GET POST PUT>
require valid user
</Limit>


Try instead using the following:

AuthUserFile /html/cgi-bin/.htpasswd
AuthGroupFile /dev/null
AuthName &quot;Secure Vendor Login&quot;
AuthType Basic

<Limit GET POST>
require valid user
</Limit>

See if that works..

Hope this helps Wullie

 
Upvote 0 Downvote
WOOHOO!! SUCCESS!!

After much anguish I came up with this for a path:

AuthUserFile /AuthGroupFile /dev/null
AuthName &quot;Secure Vendor Login&quot;
AuthType basic
require valid-user

Notice, I took the <Limit> out completely during my experimentation. And evidendly, I had to add the hyphen between valid and user in the require directive.

Thanks so much for the help ifincham and Wullie. Cheers!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Krus1972
  • Locked
  • Question
Rewrite Rule for .htaccess Help
Replies
0
Views
279
Krus1972
Krus1972
harro1968
  • Locked
  • Question
Help with ProxyPass
Replies
0
Views
172
harro1968
harro1968
mjj4golf2
  • Locked
  • Question
Help with setting up a media server
Replies
2
Views
233
vacunita
vacunita
daniel.warner
  • Locked
  • Question
Desperately need help setting up wildcard certs on Apache/Tomcat
Replies
2
Views
260
daniel.warner
daniel.warner
tyutghf
  • Locked
  • Question
htaccess password protect website
Replies
1
Views
132
feherke
feherke

Part and Inventory Search

Sponsor

Back
Top