ISPConfig: .htaccess Basic Auth Not Working Despite Everything Being Correct

Hi All,

I'm running into a strange issue with Basic Auth protection in ISPConfig 3.2 — .htaccess and .htpasswd files are in place, being read (confirmed via 500 error test), but Apache never prompts for login.

Base Auth login prompts only appear for the initial protected folder; later ones and their user records aren't working.

Code:

##### SERVER #####
IP-address (as per hostname): ***.***.***.***
[WARN] could not determine server's ip address by ifconfig
[INFO] OS version is Debian GNU/Linux 12 (bookworm)
 
[INFO] uptime:  13:35:11 up  8:09,  2 users,  load average: 0.00, 0.01, 0.00
 
[INFO] memory:
               total        used        free      shared  buff/cache   available
Mem:            15Gi       2.7Gi       5.7Gi       118Mi       7.4Gi        12Gi
Swap:             0B          0B          0B
 
[INFO] systemd failed services status:
  UNIT                      LOAD   ACTIVE SUB    DESCRIPTION
● roundcube-cleandb.service loaded failed failed Purge Roundcube database: remove old records that were marked as deleted

LOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.
1 loaded units listed.

[INFO] ISPConfig is installed.

##### ISPCONFIG #####
ISPConfig version is 3.2.12p1


##### VERSION CHECK #####

[INFO] php (cli) version is 8.2.28
[INFO] php-cgi (used for cgi php in default vhost!) is version 8.2.28

##### PORT CHECK #####


##### MAIL SERVER CHECK #####

[WARN] I found no "smtps" entry in your postfix master.cf
[INFO] this is not critical, but if you want to offer SSL for smtp (not TLS) connections you have to enable this.

##### RUNNING SERVER PROCESSES #####

[INFO] I found the following web server(s):
    Apache 2 (PID 159931)
[INFO] I found the following mail server(s):
    Postfix (PID 1509)
[INFO] I found the following pop3 server(s):
    Dovecot (PID 495)
[INFO] I found the following imap server(s):
    Dovecot (PID 495)
[INFO] I found the following ftp server(s):
    PureFTP (PID 1224)

##### LISTENING PORTS #####
(only        ()
Local        (Address)
***.***.***.***:53        (501/named)
***.***.***.***:53        (501/named)
***.***.***.***:53        (501/named)
***.***.***.***:53        (501/named)
[localhost]:6379        (519/redis-server)
[anywhere]:4190        (495/dovecot)
[localhost]:10023        (518/postgrey)
[anywhere]:3306        (790/mariadbd)
[localhost]:953        (501/named)
[localhost]:953        (501/named)
[localhost]:953        (501/named)
[localhost]:953        (501/named)
[localhost]:53        (501/named)
[localhost]:53        (501/named)
[localhost]:53        (501/named)
[localhost]:53        (501/named)
[localhost]:11334        (570/rspamd:)
[localhost]:11333        (570/rspamd:)
[localhost]:11332        (570/rspamd:)
[localhost]:11211        (500/memcached)
[anywhere]:995        (495/dovecot)
[anywhere]:993        (495/dovecot)
[anywhere]:587        (1509/master)
[anywhere]:465        (1509/master)
[anywhere]:25        (1509/master)
[anywhere]:22        (555/sshd:)
[anywhere]:21        (1224/pure-ftpd)
[anywhere]:110        (495/dovecot)
[anywhere]:143        (495/dovecot)
*:*:*:*::*:8080        (159931/apache2)
*:*:*:*::*:8081        (159931/apache2)
*:*:*:*::*:6379        (519/redis-server)
*:*:*:*::*:4190        (495/dovecot)
*:*:*:*::*:10023        (518/postgrey)
*:*:*:*::*:3306        (790/mariadbd)
*:*:*:*::*:53        (501/named)
*:*:*:*::*:53        (501/named)
*:*:*:*::*:53        (501/named)
*:*:*:*::*:53        (501/named)
*:*:*:*::*:953        (501/named)
*:*:*:*::*:953        (501/named)
*:*:*:*::*:953        (501/named)
*:*:*:*::*:953        (501/named)
*:*:*:*::*:11334        (570/rspamd:)
*:*:*:*::*:11332        (570/rspamd:)
*:*:*:*::*:11333        (570/rspamd:)
*:*:*:*::*46:a0ff:fe07:3:53        (501/named)
*:*:*:*::*46:a0ff:fe07:3:53        (501/named)
*:*:*:*::*46:a0ff:fe07:3:53        (501/named)
*:*:*:*::*46:a0ff:fe07:3:53        (501/named)
*:*:*:*::*:995        (495/dovecot)
*:*:*:*::*:993        (495/dovecot)
*:*:*:*::*:587        (1509/master)
*:*:*:*::*:443        (159931/apache2)
*:*:*:*::*:465        (1509/master)
*:*:*:*::*:25        (1509/master)
*:*:*:*::*:22        (555/sshd:)
*:*:*:*::*:21        (1224/pure-ftpd)
*:*:*:*::*:80        (159931/apache2)
[localhost]10        (495/dovecot)
[localhost]43        (495/dovecot)




##### IPTABLES #####
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
f2b-pure-ftpd  6    --  [anywhere]/0            [anywhere]/0            multiport dports 21

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Chain f2b-pure-ftpd (1 references)
target     prot opt source               destination        
RETURN     0    --  [anywhere]/0            [anywhere]/0          




##### LET'S ENCRYPT #####
acme.sh is installed in /root/.acme.sh/acme.sh

What I've already verified:

1. .htaccess is read (triggering 500 error with garbage line)
2. .htaccess content is valid:
   • Code:

     AuthType Basic
     AuthName "Members Only"
     AuthUserFile /var/www/web5/web/.htpasswd
     require valid-user

3. .htpasswd exists and is in the correct place
4. Permissions:
   • .htaccess and .htpasswd = 640, owned by webX:clientX
   • Apache user is www-data
5. Apache modules are enabled:
   • Code:

     a2enmod auth_basic
     a2enmod authn_file
     a2enmod authz_core

6. AllowOverride All is present in the vHost block
7. No useful logs from error.log
8. Verified Apache can read the .htpasswd path using:
   • Code:

     sudo -u www-data cat /var/www/web5/web/.htpasswd

9. What’s still happening:
   • No login prompt in the browser
   • No log entries about auth failures or attempts
   • Apache silently serves the directory conten

Can anyone please suggest what else I should check or investigate?
The websites, databases, and services are all working fine — but I’d really like to get this issue sorted as soon as possible. Any guidance or help would be greatly appreciated!

Thanks in advance

 

What do you expect anyone to do? You should at least explain what do did, what you've tried to resolve the issue, any errors you might found and what the expected behavior is

 

Apologies — I accidentally pressed Ctrl + Enter and submitted the post before adding all the details. I've now edited the post and included all the necessary information. Please let me know if anything else is needed.

 

ISPConfig provides built-in functionality to make this possible. Why don't you use that instead of configuring htaccess manualy?

The Feature is called "Protected Folders" IIRC you should find in in sidebar under "Web"

 

I’ve used the Protected Folder Users and Protected Folders features in ISPConfig to enable Basic Auth for three websites (including the default domain). ISPConfig successfully generated the .htaccess and .htpasswd files for all of them.

However, the Basic Auth login prompt only appears for the first website (the default domain). The other two websites are not triggering the prompt at all.

I’ve manually reviewed the .htaccess, .htpasswd, Apache configuration, and vHost files — and included all relevant details in this post. So far, I haven’t found anything unusual or misconfigured.

 

Could it be your browser auto-filling that information? Try it with wget or something.