Newb: Desperately need help to password protect a directory

yoplait,

*Please* tell me what you did.

Are you using Digest authentication?

S

 

Of course i will tell you .
My problem was for munin. Without virtual host, I had to find where it was configured.
I tried this directive in the /var/www/munin/.htaccess file :

Code:

<Limit GET>
Order Deny,Allow
Deny from all
</Limit>

But it wasn't working.
I found that the configuration file for this was /etc/apache2/sites-enabled/000-ispconfig.conf, so in this one, I had :

Code:

<Directory /var/www/munin>
        AllowOverride All
        Order allow,deny
        Allow from all
</Directory>

then restart apache : invoke-rc.d apache2 restart
I had this file : /var/www/munin/.htaccess :

Code:

AuthType Basic
AuthName "Members Only"
AuthUserFile /var/www/munin/.htpasswd
<limit GET PUT POST>
require valid-user
</limit>

Creation of the password :

Code:

htpasswd -c /var/www/munin/.htpasswd admin

And everything was working .

 

*How* did you establish that this was the conf file?

You are using basic authentication as well but surely I have done basically the same thing except that I used htdigest to create the password file, not htpasswd.

No?

S

 

I saw that there was nothing in the /etc/apache2/apache2.conf file about directories. So I checked the virtualhost files.
I know that munin is not on the other virtualhost but on the root folder (/var/www), so I tried to watch each file about *not* the virtual domains... and so, I found this one where squirrelmail and webalizer was configured.

 

Hi,

This really is driving me crazy...

Looking here:
http://httpd.apache.org/docs/2.0/mod/mod_auth_digest.html

It says that my .htaccess file should look similar to this:

Code:

<Location /private/>
AuthType Digest
AuthName "private area"
AuthDigestDomain /private/ http://mirror.my.dom/private2/
AuthDigestFile /web/auth/.digest_pw
Require valid-user
</Location> 

Which it does:

Code:

<Location /var/www/lockthisfolder>
        AuthType Digest
        AuthName "Private"
        AuthDigestDomain /var/www/lockthisfolder
        AuthDigestFile /etc/apache2/lockbydigest/digest
        Require valid-user
</Location>

If I do

Code:

locate lockbydigest

I get

Code:

/etc/apache2/lockbydigest
/etc/apache2/lockbydigest/digest

So the digest file I created using htdigest is in the correct place.

*What* is wrong with the setup?

s

 

Did you try the normal mode before doing the digest one ?

 

yoplait,

No. I will and I'll report back

S

 

Hi,

No luck. Basic authentication doesn't seem to work either...

This is what I did:

Code:

me@mybox:/etc/apache2/lockbybasic$ sudo htpasswd -c basic myname
New password: 
Re-type new password: 
Adding password for user myname
me@mybox:/etc/apache2/lockbybasic$ locate lockthisfolder
/var/www/lockthisfolder
/var/www/lockthisfolder/.htaccess
me@mybox:/etc/apache2/lockbybasic$ cd /var/www/lockthisfolder
me@mybox:/var/www/lockthisfolder$ sudo nano .htaccess
me@mybox:/var/www/lockthisfolder$ sudo /etc/init.d/apache2 restart
 * Restarting web server apache2
   ...done.
me@mybox:/var/www/lockthisfolder$ 

This is the relevant htaccess file:

Code:

<Directory /var/www/lockthisfolder>
        AuthType Basic
        AuthName "Private"
        AuthUserFile /etc/apache2/lockbybasic/basic
        <limit GET PUT POST>
                require valid-user
        </limit>
</Directory>

I still get the same 500 Server error...

There must be some stupid newb mistake I'm making...

Any ideas?

S

 

till,

Bless you for coming to the rescue!

Ok, basic authentication works with the <Directory> directives removed!

Why won't Digest Authentication work though, if my htaccess file looks like this

Code:

AuthType Digest
AuthName "Private"
AuthDigestDomain /var/www/lockthisfolder
AuthDigestFile /etc/apache2/lockbydigest/digest
Require valid-user

Please note that the /var/www/lockthisfolder is *outside* the ISPc3 structure. I'm guessing it's *not* actually /var/www/clients/..... etc...? It's directly in /var/www.

Can you help me get Digest Auth working?

S

 

Till,

If I'm understanding correctly...

I saw the example in the Apache manual but imagined the second reference was there to protect a mirror of the original site, which I don't have...

I did:

Code:

me@mybox:/var/www/lockthisfolder$ sudo a2enmod
[sudo] password for me: 
Which module would you like to enable?
Your choices are: actions alias asis auth_basic auth_digest authn_alias authn_anon authn_dbd authn_dbm authn_default authn_file authnz_ldap authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cern_meta cgid cgi charset_lite dav_fs dav dav_lock dbd deflate dir disk_cache dump_io env expires ext_filter fcgid file_cache filter headers ident imagemap include info ldap log_forensic mem_cache mime mime_magic negotiation php5 proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_http proxy rewrite setenvif speling ssl status substitute suexec suphp unique_id userdir usertrack version vhost_alias
Module name? auth_digest
This module is already enabled!
me@mybox:/var/www/lockthisfolder$ sudo nano .htaccess
me@mybox:/var/www/lockthisfolder$ sudo /etc/init.d/apache2 restart

and my htaccess file now looks like:

Code:

AuthType Digest
AuthName "Private"
AuthDigestDomain /var/www/lockthisfolder http://www.server.myothersite.co.uk/lockthisfolder
AuthDigestFile /etc/apache2/lockbydigest/digest
Require valid-user

But I still get the 500 server error.

Am I misunderstanding you?

S

 

Till,

I'm getting

Code:

Invalid command 'AuthDigestFile', perhaps misspelled or defined by a module not included in the server configuration

But it says to use AuthDigestFile in the Apache docs...

S

 

Till,

Nearly there! That gave me the Username/Password challenge.

The problem is that it won't accept the details I gave it!

I have reset the password just in case:

Code:

me@mybox:/etc/apache2/lockbydigest$ sudo htdigest -c digest private myname
Adding password for myname in realm private.
New password: 
Re-type new password: 
me@mybox:/etc/apache2/lockbydigest$ sudo /etc/init.d/apache2 restart
 * Restarting web server apache2
   ...done.

I just can't get past the login! Too secure!

What did I do wrong?

S

 

try maybe with a very simple login/password to be sure ? (like "abc")

 

yoplait,

Nope. I used my own name with qwerty as a password and I still just get re-presented with the login box.

Is my box cursed...?

S

 

maybe cursed .. did you try with an exorsist ?

More seriously, have you got something in the log when you click on "ok" ?

 

If I knew an exorcist I'd definitely get on the phone. I think I may need one the way things are going...

There is something in the logs...

Code:

Digest: user `myname' in realm `Private' not found: /lockthisfolder/pma/ 

But when I reset the PW yet again I get the correct confirmation:

Code:

me@mybox:/etc/apache2/lockbydigest$ sudo htdigest -c digest private myname
Adding password for myname in realm private.
New password: 
Re-type new password: 
me@mybox:/etc/apache2/lockbydigest$ sudo /etc/init.d/apache2 restart
 * Restarting web server apache2
   ...done.

Correct, yes?

I still get represented with the login panel.

Know an exorcist in the Uk...?

S