I'm trying to restrict access to a directory on my apache webserver. Before I go into detail I'll show what I've got so far.

I've successfully created the Password file.

Here's the code in httpd.conf

DocumentRoot "C:/Program Files/Apache Group/Apache2/htdocs"
...
...
<Directory />
Options FollowSymLinks
AllowOverride AuthConfig Indexes
</Directory>
...
...
<Directory "C:/Program Files/Apache Group/Apache2/htdocs/thewedding">
AllowOverride AuthConfig
Options FollowSymLinks
</Directory>


Here's the .htaccess file.
"
AuthType Basic
AuthName "test User Authentication"
AuthUserFile "C:/Program Files/Apache Group/Apache2/conf/passwords"
Require valid-user
"

Okay.. looks good right? Well here's the problem. When I open index.html in the root directory, I get prompted for a password. (which I don't want.) If I cancel the authentication request, the index.html is displayed.

When I click the link n the index.html that takes me to the restricted directory, I get prompted again for password, and this time I need it. If I cancel I get the authentication error. If I supply the password I can access the directory.

So my authentication works for the sub directory, but it's also prompting for the root directory although it doesn't authenticate.

Any ideas?

Thanks.

Your <Directory> tags look a little short to me. I'm not 100% as I haven't seen an apache conf file in a while, but should there be some Allow... / Deny... lines?

Are you sure you don't have any additional authorization stuff in your httpd.conf?

Are you sure you don't have another .htaccess file in your document root directory?

Are you sure you put the .htaccess file in the right place?

What happens if you change



AllowOverride AuthConfig Indexes


To



AllowOverride None

Thanks for the suggestions. But is I change my allow override to

AllowOverride none, then .htaccess files won't work. It's required for the .htaccess. That being said, I've tried defining the authentication in the httpd.conf file and deleting the .htaccess file. I have the same problem.

As for the other reply asking about the allow deny line, that is for restricting which ip addresses/hosts can access the server, it doesn't pertain to the authentication. (according to the documentation.) Either way I've tried this too without luck.

Thanks for the suggestions. Unfortunately neither helped.

If anyone else can help I'd appreciate it.

Here's a thought, do I have to specifically indicate that the root does not require authentication? Normally inheritance does down the levels not up, but could this be a bug in apache?

could this be a bug in apache?

No.

Could you post your entire httpd.conf?

Could you post your entire httpd.conf?

Here you go.. Thanks for your help.



### Section 1: Global Environment
ServerRoot "C:/Program Files/Apache Group/Apache2"

PidFile logs/httpd.pid
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
<IfModule mpm_winnt.c>
ThreadsPerChild 250
MaxRequestsPerChild 0
</IfModule>
Listen 80

#
LoadModule access_module modules/mod_access.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_module modules/mod_auth.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
LoadModule imap_module modules/mod_imap.so
LoadModule include_module modules/mod_include.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule userdir_module modules/mod_userdir.so

ServerAdmin [email protected]

ServerName DT07061:80

UseCanonicalName Off

DocumentRoot "C:/Program Files/Apache Group/Apache2/htdocs"

<Directory />
Options FollowSymLinks
AllowOverride None
AuthAuthoritative Off
</Directory>
<Location />
Options FollowSymLinks
AllowOverride None
AuthAuthoritative Off
</Location>

<Directory "C:/Program Files/Apache Group/Apache2/htdocs">
Options Indexes FollowSymLinks
AllowOverride None
Order deny,allow
Allow from all
AuthAuthoritative Off
</Directory>


UserDir "My Documents/My Website"

<Directory "C:/Program Files/Apache Group/Apache2/htdocs/thewedding">
AuthType Basic
AuthName "test User Authentication"
AuthUserFile "C:/Program Files/Apache Group/Apache2/conf/passwords"
Require valid-user
</Directory>

DirectoryIndex index.html index.html.var

AccessFileName .htaccess

<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>

TypesConfig conf/mime.types
DefaultType text/plain

<IfModule mod_mime_magic.c>
MIMEMagicFile conf/magic
</IfModule>
HostnameLookups Off

ErrorLog logs/error.log

LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

CustomLog logs/access.log common

ServerTokens Full
ServerSignature On

Alias /icons/ "C:/Program Files/Apache Group/Apache2/icons/"

<Directory "C:/Program Files/Apache Group/Apache2/icons">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>

AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|ru))?(/.*)?$ "C:/Program Files/Apache Group/Apache2/manual$1"

<Directory "C:/Program Files/Apache Group/Apache2/manual">
Options Indexes
AllowOverride None
Order allow,deny
Allow from all

<Files *.html>
SetHandler type-map
</Files>

SetEnvIf Request_URI ^/manual/(de|en|es|fr|ja|ko|ru)/ prefer-language=$1
RedirectMatch 301 ^/manual(?:/(de|en|es|fr|ja|ko|ru)){2,}(/.*)?$ /manual/$1$2
</Directory>

ScriptAlias /cgi-bin/ "C:/Program Files/Apache Group/Apache2/cgi-bin/"

<Directory "C:/Program Files/Apache Group/Apache2/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>

IndexOptions FancyIndexing VersionSort

AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip

AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*

AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core

AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^

DefaultIcon /icons/unknown.gif


ReadmeName README.html
HeaderName HEADER.html
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t

AddLanguage ca .ca
AddLanguage cs .cz .cs
AddLanguage da .dk
AddLanguage de .de
AddLanguage el .el
AddLanguage en .en
AddLanguage eo .eo
AddLanguage es .es
AddLanguage et .et
AddLanguage fr .fr
AddLanguage he .he
AddLanguage hr .hr
AddLanguage it .it
AddLanguage ja .ja
AddLanguage ko .ko
AddLanguage ltz .ltz
AddLanguage nl .nl
AddLanguage nn .nn
AddLanguage no .no
AddLanguage pl .po
AddLanguage pt .pt
AddLanguage pt-BR .pt-br
AddLanguage ru .ru
AddLanguage sv .sv
AddLanguage zh-CN .zh-cn
AddLanguage zh-TW .zh-tw

LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW

ForceLanguagePriority Prefer Fallback

AddCharset ISO-8859-1 .iso8859-1 .latin1
AddCharset ISO-8859-2 .iso8859-2 .latin2 .cen
AddCharset ISO-8859-3 .iso8859-3 .latin3
AddCharset ISO-8859-4 .iso8859-4 .latin4
AddCharset ISO-8859-5 .iso8859-5 .latin5 .cyr .iso-ru
AddCharset ISO-8859-6 .iso8859-6 .latin6 .arb
AddCharset ISO-8859-7 .iso8859-7 .latin7 .grk
AddCharset ISO-8859-8 .iso8859-8 .latin8 .heb
AddCharset ISO-8859-9 .iso8859-9 .latin9 .trk
AddCharset ISO-2022-JP .iso2022-jp .jis
AddCharset ISO-2022-KR .iso2022-kr .kis
AddCharset ISO-2022-CN .iso2022-cn .cis
AddCharset Big5 .Big5 .big5
# For russian, more than one charset is used (depends on client, mostly):
AddCharset WINDOWS-1251 .cp-1251 .win-1251
AddCharset CP866 .cp866
AddCharset KOI8-r .koi8-r .koi8-ru
AddCharset KOI8-ru .koi8-uk .ua
AddCharset ISO-10646-UCS-2 .ucs2
AddCharset ISO-10646-UCS-4 .ucs4
AddCharset UTF-8 .utf8

AddCharset GB2312 .gb2312 .gb
AddCharset utf-7 .utf7
AddCharset utf-8 .utf8
AddCharset big5 .big5 .b5
AddCharset EUC-TW .euc-tw
AddCharset EUC-JP .euc-jp
AddCharset EUC-KR .euc-kr
AddCharset shift_jis .sjis

AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz

AddHandler type-map var

BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0

BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully

<IfModule mod_ssl.c>
Include conf/ssl.conf
</IfModule>


### Section 3: Virtual Hosts
#
# VirtualHost: If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at
# <URL:http://httpd.apache.org/docs-2.0/vhosts/>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.

#
# Use name-based virtual hosting.
#
#NameVirtualHost *:80

#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for requests without a known
# server name.
#
#<VirtualHost *:80>
# ServerAdmin [email protected]
# DocumentRoot /www/docs/dummy-host.example.com
# ServerName dummy-host.example.com
# ErrorLog logs/dummy-host.example.com-error_log
# CustomLog logs/dummy-host.example.com-access_log common
#</VirtualHost>

I'm almost embarrassed to post this, but since this may help others, I am swallowing my pride.

First thing first. I deleted all my .htaccess files and then the httpd.conf. I then recreated the httpd.conf from httpd.conf.default. I added the following lines to by <Directory> directive


AuthType Basic
AuthName "Assyst Reports"
AuthUserFile "C:/Program Files/Apache Group/Apache2/conf/passwords"
Require valid-user


Once I did this and restarted Apache, I started getting this error.

configuration error: couldn't check user. No user file?:

I recreated the htpasswd file and that went away. Now my original problem came back. I was about to throw in the towel when it dawned on me.

Typical case of: PEBKAC or S.U.S if you prefer.

My index.html in the htdocs directory contained a reference to a resource with in the protected directory, (a style sheet, in this case), so I was getting authentication prompts so apache could load the style sheet. When I hit cancel, the index.html still loaded since it wasn't restricted. I didn't notice that the style sheet didn't load. When I went to the protected directory and cancelled I'd get a forbidden error because I failed to log on.

So, this whoe thing was "Stupid User Syndrome"!