Newb: Desperately need help to password protect a directory

Discussion in 'Installation/Configuration' started by smartin, Feb 1, 2010.

  1. smartin

    smartin New Member

    Newb: Desperately need help to password protect a directory SOLVED

    EDIT:

    (Please read the whole thread but I hope this is the solution...)

    This is simplicity itself. Only took me just over two weeks ;)

    I am running Ubuntu server 8.04 LTS, set up with ISPc3.

    I need to protect a folder /var/www/lockthisfolder . I want to use Digest authentication.

    I created a directory "lockbydigest" in / to contain the htdigest file.

    NOTE: Only use the -c flag the first time you create the htdigest file. Otherwise a new one will be created for you and you will lose the details of the existing users you have set up.

    Code:
    root@mybox:/lockbydigest# htdigest -c digest private myname
    Adding password for myname in realm private.
    New password: 
    Re-type new password: 
    root@mybox:/lockbydigest# ls
    digest
    root@mybox:/lockbydigest# locate lockthisfolder
    /var/www/lockthisfolder
    root@mybox:/var/www/lockthisfolder# touch .htaccess
    root@mybox:/var/www/lockthisfolder# ls
    pma
    root@mybox:/var/www/lockthisfolder# ls -a
    .  ..  .htaccess  pma
    root@mybox:/var/www/lockthisfolder# sudo nano .htaccess
    root@mybox:/var/www/lockthisfolder# /etc/init.d/apache2 restart
     * Restarting web server apache2
       ...done.
    root@mybox:/var/www/lockthisfolder# exit
    The /var/www/lockthisfolder/.htaccess file contains:
    Code:
    AuthType Digest
    AuthName "private"
    AuthDigestDomain /var/www/lockthisfolder http://www.my.servername.com/lockthisfolder
    AuthUserFile /etc/apache2/lockbydigest/digest
    Require valid-user
    Restart apache
    Code:
    sudo /etc/init.d/apache2 restart
    
    Be sure to do
    Code:
    sudo chown root:www-data digest
    sudo chmod 640 .htaccess
    
    on the digest file and the .htaccess file.

    I think that was all I did! Look through the rest of the thread if something isn't working.

    S


    Hi,

    (Starting this here as it's probably to do with the ISPc3 htaccess file...?)

    I urgently need to password protect a directory and seem to be getting things wrong, as usual...

    I'm running Ubuntu 8.04 LTS server with ISPc3 running fine.

    I need to protect a folder /var/www/lockthisfolder . I want to use Digest authentication.

    I created a directory "lockbydigest" in / to contain the htdigest file.

    Then I did:
    Code:
    root@mybox:/lockbydigest# htdigest -c digest private myname
    Adding password for myname in realm private.
    New password: 
    Re-type new password: 
    root@mybox:/lockbydigest# ls
    digest
    root@mybox:/lockbydigest# locate lockthisfolder
    /var/www/lockthisfolder
    root@mybox:/var/www/lockthisfolder# touch .htaccess
    root@mybox:/var/www/lockthisfolder# ls
    pma
    root@mybox:/var/www/lockthisfolder# ls -a
    .  ..  .htaccess  pma
    root@mybox:/var/www/lockthisfolder# sudo nano .htaccess
    root@mybox:/var/www/lockthisfolder# /etc/init.d/apache2 restart
     * Restarting web server apache2
       ...done.
    root@mybox:/var/www/lockthisfolder# exit
    The /var/www/lockthisfolder/.htaccess file contains:
    Code:
    <Directory /var/www/lockthisfolder>
            AuthType Digest
            AuthName "Private"
            AuthDigestFile /etc/apache2/lockbydigest/digest
            Require user myname
    </Directory>
    Why don't I get a username/password challenge when I go to /var/www/lockthisfolder ?

    Thanks as always :)

    S
     
    Last edited: Feb 17, 2010
  2. prisfeo

    prisfeo New Member

    did you check that .htaccess directive are read by Apache webserver ?
    i am referring to the "AllowOverride" setting directive inside apache httpd.conf

    look here:
    http://httpd.apache.org/docs/2.0/mod/core.html#allowoverride

    When this directive is set to "None",
    then .htaccess files are completely ignored.
     
    Last edited: Feb 1, 2010
  3. smartin

    smartin New Member

    prisfeo,

    Thanks for chipping in...

    ISPc3 relies on Apache directives so I'm sure they must be activated. No?

    S
     
  4. prisfeo

    prisfeo New Member

    yes,
    but pay attention that after regular ispconfig3 installation,
    if you look inside /etc/httpd/conf/httpd.conf
    you'll see this setting:
    "AllowOverride None"

    and only in /etc/httpd/conf/sites-available/www.yoursite.com.vhost apache config files there is:
    "AllowOverride All"

    that "enables" .htaccess "looking" by apache.
    so that, check if your "/var/www/lockthisfolder"
    is configured inside a httpd virtual host with that AllowOverride setting.

    i mean the following:

    <Directory /var/www/lockthisfolder>
    AllowOverride All
    .....
    .....
    </Directory>
     
  5. smartin

    smartin New Member

    prisfeo,

    I'm not quite following...

    Do you mean that the .htacess file inside /var/www/lockthisfolder should look like this?:

    Code:
    <Directory /var/www/lockthisfolder>
            AllowOverride All
            AuthType Digest
            AuthName "Private"
            AuthDigestFile /etc/apache2/lockbydigest/digest
            Require user myname
    </Directory>
    S
     
  6. prisfeo

    prisfeo New Member

    no.
    ...
    as told before, i mean you have to check the apache configuration,
    that is related to the "/var/www/lockthisfolder" folder.
    is that folder configured inside a virtual host config file ?
    if yes, check that configuration..
    it's that configuration that must have inside the "Directory" directive
    the "AllowOverride All" statement.
    i hope to have explained better..(unfortunately i am not english)
     
  7. smartin

    smartin New Member

    How do I know which file that is? I'm guessing it must be tha main /etc/apache2/httpd.conf file...?
    I'm guessing not... It's outside the ISPc3 structure, in the root of the /www directory.

    My /etc/apache2/httpd.conf file is completely empty. Is that the relevant file? How should it look?

    Code:
    <Directory /var/www/lockthisfolder>
            AllowOverride All
    </Directory>
    ?

    No problem! I'm grateful for your help.

    S
     
  8. prisfeo

    prisfeo New Member

    uhmm..if you tellin that above..i think your apache httpd.conf is not located
    like mine (i use Centos) cause it cannot be empty..in Ubuntu maybe
    located in /usr/local/apache2 ?
    you can do the following find command inside terminal:

    find / -iname 'httpd.conf'

    mine is located at:
    /etc/httpd/conf/httpd.conf

    and it's not empty..but it has the "AllowOverride" directive
    set to "None" since are the virtual host apache config files that
    tune the per-site configurations.(as said before)
    ..
    if you are telling that your folder is "out of the ispc3 struct"
    so when you have find the "non-empty" httpd.conf
    edit it, and find lines with "AllowOverride" directive
    and try to set them to "All"

    and after editing do an "apachectl restart"
    a try to see if it works as expected
     
  9. smartin

    smartin New Member

    I only seem to have one httpd.conf file, /etc/apache2/httpd.conf, and it's definitely empty.

    Is this an Ubuntu quirk?

    Is there another file which could do the same job?

    Does it have another name in Ubuntu perhaps?

    S
     
  10. yoplait

    yoplait Member

    maybe /etc/apache2/apache2.conf ? (for debian ...)
     
  11. smartin

    smartin New Member

    Yoplait,

    This is my apache2.conf file:

    Code:
    #
    # Based upon the NCSA server configuration files originally by Rob McCool.
    #
    # This is the main Apache server configuration file.  It contains the
    # configuration directives that give the server its instructions.
    # See http://httpd.apache.org/docs/2.2/ for detailed information about
    # the directives.
    #
    # Do NOT simply read the instructions in here without understanding
    # what they do.  They're here only as hints or reminders.  If you are unsure
    # consult the online docs. You have been warned.  
    #
    # The configuration directives are grouped into three basic sections:
    #  1. Directives that control the operation of the Apache server process as a
    #     whole (the 'global environment').
    #  2. Directives that define the parameters of the 'main' or 'default' server,
    #     which responds to requests that aren't handled by a virtual host.
    #     These directives also provide default values for the settings
    #     of all virtual hosts.
    #  3. Settings for virtual hosts, which allow Web requests to be sent to
    #     different IP addresses or hostnames and have them handled by the
    #     same Apache server process.
    #
    # Configuration and logfile names: If the filenames you specify for many
    # of the server's control files begin with "/" (or "drive:/" for Win32), the
    # server will use that explicit path.  If the filenames do *not* begin
    # with "/", the value of ServerRoot is prepended -- so "/var/log/apache2/foo.log"
    # with ServerRoot set to "" will be interpreted by the
    # server as "//var/log/apache2/foo.log".
    #
    
    ### Section 1: Global Environment
    #
    # The directives in this section affect the overall operation of Apache,
    # such as the number of concurrent requests it can handle or where it
    # can find its configuration files.
    #
    
    #
    # ServerRoot: The top of the directory tree under which the server's
    # configuration, error, and log files are kept.
    #
    # NOTE!  If you intend to place this on an NFS (or otherwise network)
    # mounted filesystem then please read the LockFile documentation (available
    # at <URL:http://httpd.apache.org/docs-2.1/mod/mpm_common.html#lockfile>);
    # you will save yourself a lot of trouble.
    #
    # Do NOT add a slash at the end of the directory path.
    #
    ServerRoot "/etc/apache2"
    
    #
    # The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
    #
    #<IfModule !mpm_winnt.c>
    #<IfModule !mpm_netware.c>
    LockFile /var/lock/apache2/accept.lock
    #</IfModule>
    #</IfModule>
    
    #
    # PidFile: The file in which the server should record its process
    # identification number when it starts.
    # This needs to be set in /etc/apache2/envvars
    #
    PidFile ${APACHE_PID_FILE}
    
    #
    # Timeout: The number of seconds before receives and sends time out.
    #
    Timeout 300
    
    #
    # KeepAlive: Whether or not to allow persistent connections (more than
    # one request per connection). Set to "Off" to deactivate.
    #
    KeepAlive On
    
    #
    # MaxKeepAliveRequests: The maximum number of requests to allow
    # during a persistent connection. Set to 0 to allow an unlimited amount.
    # We recommend you leave this number high, for maximum performance.
    #
    MaxKeepAliveRequests 100
    
    #
    # KeepAliveTimeout: Number of seconds to wait for the next request from the
    # same client on the same connection.
    #
    KeepAliveTimeout 15
    
    ##
    ## Server-Pool Size Regulation (MPM specific)
    ## 
    
    # prefork MPM
    # StartServers: number of server processes to start
    # MinSpareServers: minimum number of server processes which are kept spare
    # MaxSpareServers: maximum number of server processes which are kept spare
    # MaxClients: maximum number of server processes allowed to start
    # MaxRequestsPerChild: maximum number of requests a server process serves
    <IfModule mpm_prefork_module>
        StartServers          5
        MinSpareServers       5
        MaxSpareServers      10
        MaxClients          150
        MaxRequestsPerChild   0
    </IfModule>
    
    # worker MPM
    # StartServers: initial number of server processes to start
    # MaxClients: maximum number of simultaneous client connections
    # MinSpareThreads: minimum number of worker threads which are kept spare
    # MaxSpareThreads: maximum number of worker threads which are kept spare
    # ThreadsPerChild: constant number of worker threads in each server process
    # MaxRequestsPerChild: maximum number of requests a server process serves
    <IfModule mpm_worker_module>
        StartServers          2
        MaxClients          150
        MinSpareThreads      25
        MaxSpareThreads      75 
        ThreadsPerChild      25
        MaxRequestsPerChild   0
    </IfModule>
    
    # These need to be set in /etc/apache2/envvars
    User ${APACHE_RUN_USER}
    Group ${APACHE_RUN_GROUP}
    
    #
    # AccessFileName: The name of the file to look for in each directory
    # for additional configuration directives.  See also the AllowOverride
    # directive.
    #
    
    AccessFileName .htaccess
    
    #
    # The following lines prevent .htaccess and .htpasswd files from being 
    # viewed by Web clients. 
    #
    <Files ~ "^\.ht">
        Order allow,deny
        Deny from all
    </Files>
    
    #
    # DefaultType is the default MIME type the server will use for a document
    # if it cannot otherwise determine one, such as from filename extensions.
    # If your server contains mostly text or HTML documents, "text/plain" is
    # a good value.  If most of your content is binary, such as applications
    # or images, you may want to use "application/octet-stream" instead to
    # keep browsers from trying to display binary files as though they are
    # text.
    #
    DefaultType text/plain
    
    
    #
    # HostnameLookups: Log the names of clients or just their IP addresses
    # e.g., www.apache.org (on) or 204.62.129.132 (off).
    # The default is off because it'd be overall better for the net if people
    # had to knowingly turn this feature on, since enabling it means that
    # each client request will result in AT LEAST one lookup request to the
    # nameserver.
    #
    HostnameLookups Off
    
    # ErrorLog: The location of the error log file.
    # If you do not specify an ErrorLog directive within a <VirtualHost>
    # container, error messages relating to that virtual host will be
    # logged here.  If you *do* define an error logfile for a <VirtualHost>
    # container, that host's errors will be logged there and not here.
    #
    ErrorLog /var/log/apache2/error.log
    
    #
    # LogLevel: Control the number of messages logged to the error_log.
    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    #
    LogLevel warn
    
    # Include module configuration:
    Include /etc/apache2/mods-enabled/*.load
    Include /etc/apache2/mods-enabled/*.conf
    
    # Include all the user configurations:
    Include /etc/apache2/httpd.conf
    
    # Include ports listing
    Include /etc/apache2/ports.conf
    
    #
    # The following directives define some format nicknames for use with
    # a CustomLog directive (see below).
    # If you are behind a reverse proxy, you might want to change %h into %{X-Forwarded-For}i
    #
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    LogFormat "%{Referer}i -> %U" referer
    LogFormat "%{User-agent}i" agent
    
    #
    # ServerTokens
    # This directive configures what you return as the Server HTTP response
    # Header. The default is 'Full' which sends information about the OS-Type
    # and compiled in modules.
    # Set to one of:  Full | OS | Minor | Minimal | Major | Prod
    # where Full conveys the most information, and Prod the least.
    #
    ServerTokens Full
    
    #
    # Optionally add a line containing the server version and virtual host
    # name to server-generated pages (internal error documents, FTP directory 
    # listings, mod_status and mod_info output etc., but not CGI generated 
    # documents or custom error documents).
    # Set to "EMail" to also include a mailto: link to the ServerAdmin.
    # Set to one of:  On | Off | EMail
    #
    ServerSignature On
    
    
    
    #
    # Customizable error responses come in three flavors:
    # 1) plain text 2) local redirects 3) external redirects
    #
    # Some examples:
    #ErrorDocument 500 "The server made a boo boo."
    #ErrorDocument 404 /missing.html
    #ErrorDocument 404 "/cgi-bin/missing_handler.pl"
    #ErrorDocument 402 http://www.example.com/subscription_info.html
    #
    
    #
    # Putting this all together, we can internationalize error responses.
    #
    # We use Alias to redirect any /error/HTTP_<error>.html.var response to
    # our collection of by-error message multi-language collections.  We use 
    # includes to substitute the appropriate text.
    #
    # You can modify the messages' appearance without changing any of the
    # default HTTP_<error>.html.var files by adding the line:
    #
    #   Alias /error/include/ "/your/include/path/"
    #
    # which allows you to create your own set of files by starting with the
    # /usr/share/apache2/error/include/ files and copying them to /your/include/path/, 
    # even on a per-VirtualHost basis.  The default include files will display
    # your Apache version number and your ServerAdmin email address regardless
    # of the setting of ServerSignature.
    #
    # The internationalized error documents require mod_alias, mod_include
    # and mod_negotiation.  To activate them, uncomment the following 30 lines.
    
    #    Alias /error/ "/usr/share/apache2/error/"
    #
    #    <Directory "/usr/share/apache2/error">
    #        AllowOverride None
    #        Options IncludesNoExec
    #        AddOutputFilter Includes html
    #        AddHandler type-map var
    #        Order allow,deny
    #        Allow from all
    #        LanguagePriority en cs de es fr it nl sv pt-br ro
    #        ForceLanguagePriority Prefer Fallback
    #    </Directory>
    #
    #    ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
    #    ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
    #    ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
    #    ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
    #    ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
    #    ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
    #    ErrorDocument 410 /error/HTTP_GONE.html.var
    #    ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
    #    ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
    #    ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
    #    ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
    #    ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
    #    ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var
    #    ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
    #    ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
    #    ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
    #    ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var
    
    
    
    # Include of directories ignores editors' and dpkg's backup files,
    # see README.Debian for details.
    
    # Include generic snippets of statements
    Include /etc/apache2/conf.d/
    
    # Include the virtual host configurations:
    Include /etc/apache2/sites-enabled/
    
    Do I just add
    Code:
    <Directory /var/www/lockthisfolder>
            AllowOverride All
    </Directory>
    
    to the end of that file?

    Edit: No, I get a 500 internal server error...

    S
     
    Last edited: Feb 1, 2010
  12. prisfeo

    prisfeo New Member

    hi S..

    strange it lacks the "DocumentRoot" and std "AllowOverride" settings..but i think are here (in those folders are extra config. settings as told above):

    ..
    however, related to your try:

    try with quotes:

    <Directory "/var/www/lockthisfolder">
    AllowOverride All
    </Directory>

    (always restart apache after)
     
  13. smartin

    smartin New Member

    prisfeo
    The DocumentRoot entry is near the beginning, under Global Environment...


    I still get the same 500 Internal Server error.

    Does the

    AllowOverride All

    directive need to go in a particular place in the document perhaps?

    S
     
  14. Hans

    Hans Moderator

    To protect a directory the only thing you have to do is:

    Within the directory /web, you can create a .htaccess file with the following content:

    Code:
    AuthType Basic
    AuthName "Members Only"
    AuthUserFile /var/www/www.example.com/directoryname/.htpasswd
    <limit GET PUT POST>
    require valid-user
    </limit>

    After that you must create a password file (in this example for the user admin):

    Code:
    htpasswd -c /var/www/www.example.com/directoryname/.htpasswd admin
    That's it, but make sure that .htaccess files are allowed on your system.
     
  15. smartin

    smartin New Member

    Hans,

    Thanks for your time...

    Isn't that basically what I did though? Except that I want to use Digest authentication for some extra security...?

    S
     
  16. prisfeo

    prisfeo New Member

    sorry S, but in the apache2.conf code you posted i cannot see any
    "DocumentRoot" entry..
    however it's strange that 500 error..apache have to manage that directive..
    here a portion of my http.conf with those directives:

    Code:
    #
    # DocumentRoot: The directory out of which you will serve your
    # documents. By default, all requests are taken from this directory, but
    # symbolic links and aliases may be used to point to other locations.
    #
    DocumentRoot "/var/www/html"
    
    #
    # Each directory to which Apache has access can be configured with respect
    # to which services and features are allowed and/or disabled in that
    # directory (and its subdirectories).
    #
    # First, we configure the "default" to be a very restrictive set of
    # features.
    #
    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>
    
    #
    # Note that from this point forward you must specifically allow
    # particular features to be enabled - so if something's not working as
    # you might expect, make sure that you have specifically enabled it
    # below.
    #
    
    #
    # This should be changed to whatever you set DocumentRoot to.
    #
    <Directory "/var/www/html">
    
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.2/mod/core.html#options
    # for more information.
    #
        Options Indexes FollowSymLinks
    
    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   Options FileInfo AuthConfig Limit
    #
        AllowOverride None
    
    #
    # Controls who can get stuff from this server.
    #
        Order allow,deny
        Allow from all
    
    </Directory>
    ------------------------
    hu i think i know why "500" error!!
    put again the

    <Directory "/var/www/lockthisfolder">
    AllowOverride All
    </Directory>

    in your apache conf file..
    but the error is not generated from it,
    but from the .htaccess syntax or commands..that now are read !
    ..
    try temporarily to put only this code inside .htaccess file:

    <Limit GET>
    Order Deny,Allow
    Deny from all
    </Limit>

    and after try to browse with your browser to that folder,
    you should get a "forbidden access"
    and it means .htaccess is correctly read by apache :)
    so you have to find correct syntax/commands to protect the folder
     
    Last edited: Feb 2, 2010
  17. smartin

    smartin New Member

    Sorry... I was looking at 'ServerRoot", not "DocumentRoot". I can't see DocumentRoot either.

    I'm thinking the fact that I have installed ISPc3 is confusing the situation...?

    Ok, I *do* get a 'forbidden' error now! :)

    Any guesses as to what I should put in there?:eek:

    S
     
  18. prisfeo

    prisfeo New Member

    OK :) ! so now it's normal behaviour since apache manage your .htaccess files;

    about that..try to follow Hans tips..
    or read here:

    http://httpd.apache.org/docs/2.0/howto/auth.html
    you should make it work..
     
  19. yoplait

    yoplait Member

    I had the same problem, and I had resolved it with your tips.

    Thanks for your help, it works great for me ;) .
     
  20. smartin

    smartin New Member

    prisfeo,

    I can't relate Hans' suggestion as it's using Basic authentication. I want to use Digest Authentication.

    I have tried to follow the page behind the link you made but nothing seems to work.

    It's *definitely* just the content of the .htaccess file which is the problem, yes?

    S
     

Share This Page