# apache authentication problem [solved]

## ggaaron

This is my /etc/apache2/httpd.conf file. What I want to do is to is to have all files accessible, but not "pliki" folder. I can request authentication of whole server, but I can't do this to one folder=( I'm really starting with web servers.

```

<Directory />

    Options FollowSymLinks

    AllowOverride None

    Order deny,allow

    Deny from all

    AuthType Basic #if I delete this four lines, server will never ask me for password, I can access pliki folder without giving my user name and password.

    AuthName "Standard user and password: guest, guest"

    AuthUserFile /usr/local/apache/passwd/passwords

    Require valid-user

</Directory>

<Directory /pliki/>

    Options FollowSymLinks

    AllowOverride None

    Order deny,allow

    Deny from all

    AuthType Basic

    AuthName "Standard user and password: guest, guest"

    AuthUserFile /usr/local/apache/passwd/passwords

    Require valid-user

</Directory>

```

Last edited by ggaaron on Tue Jun 19, 2007 8:18 pm; edited 1 time in total

----------

## amasidlover

The usual way of doing this is with .htaccess files - once you allowOverride all for the directory(ies) you need then you can put a .htaccess file in the ones you want to control the access of.

See here for a howto.

Doing it this way means that you don't need to reload httpd.conf for every change or allow everyone on your server access to httpd.conf.

----------

## ggaaron

.htaccess files are highly discouraged, because it slows servers down, especially old ones=/ This is why I would like to do it in httpd.conf.

----------

## amasidlover

OK, not come across that advice anywhere else. Thanks for the tip - unfortunately it means I can't help with your problem, since we use .htaccess files...

----------

## ggaaron

It's explained in apache manual:

```
In general, you should never use .htaccess files unless you don't have access to the main server configuration file. There is, for example, a prevailing misconception that user authentication should always be done in .htaccess files. This is simply not the case. You can put user authentication configurations in the main server configuration, and this is, in fact, the preferred way to do things.

.htaccess files should be used in a case where the content providers need to make configuration changes to the server on a per-directory basis, but do not have root access on the server system. In the event that the server administrator is not willing to make frequent configuration changes, it might be desirable to permit individual users to make these changes in .htaccess files for themselves. This is particularly true, for example, in cases where ISPs are hosting multiple user sites on a single machine, and want their users to be able to alter their configuration.

However, in general, use of .htaccess files should be avoided when possible. Any configuration that you would consider putting in a .htaccess file, can just as effectively be made in a <Directory> section in your main server configuration file.

There are two main reasons to avoid the use of .htaccess files.

The first of these is performance. When AllowOverride is set to allow the use of .htaccess files, Apache will look in every directory for .htaccess files. Thus, permitting .htaccess files causes a performance hit, whether or not you actually even use them! Also, the .htaccess file is loaded every time a document is requested.

Further note that Apache must look for .htaccess files in all higher-level directories, in order to have a full complement of directives that it must apply. (See section on how directives are applied.) Thus, if a file is requested out of a directory /www/htdocs/example, Apache must look for the following files:

    /.htaccess

    /www/.htaccess

    /www/htdocs/.htaccess

    /www/htdocs/example/.htaccess

And so, for each file access out of that directory, there are 4 additional file-system accesses, even if none of those files are present. (Note that this would only be the case if .htaccess files were enabled for /, which is not usually the case.)

The second consideration is one of security. You are permitting users to modify server configuration, which may result in changes over which you have no control. Carefully consider whether you want to give your users this privilege.

Note that it is completely equivalent to put a .htaccess file in a directory /www/htdocs/example containing a directive, and to put that same directive in a Directory section <Directory /www/htdocs/example> in your main server configuration:

.htaccess file in /www/htdocs/example:

    AddType text/example .exm

httpd.conf

    <Directory /www/htdocs/example>

    AddType text/example .exm

    </Directory>

However, putting this configuration in your server configuration file will result in less of a performance hit, as the configuration is loaded once when Apache starts, rather than every time a file is requested.

The use of .htaccess files can be disabled completely by setting the AllowOverride directive to "none"

    AllowOverride None
```

----------

## amasidlover

OK, makes sense... I'll stop perpetuatuing the 'prevailling misconception'!  :Smile: 

I notice that in your httpd.conf extract you have /pliki/ after Directory. In my conf files I have all the sub-directories with options fully qualified, with inverted commas around them and no trailing /. So I have:

```
<Directory "/var/www/localhost/htdocs/myfolder"> 
```

is /pliki actually /pliki in your fs or is it a subdirectory of your /var/localhost/www/htdocs (assuming gentoo style file layout)?

Alex

----------

## ggaaron

Setting /var/localhost/www/htdocs prefix, deleting trailing / and wrapping "" around didn't help... and this pliki folder really is /var/localhost/www/htdocs/pliki/

----------

## amasidlover

I've double checked and based on a number of our servers you will definitely need the full path in the Directory directive. I'll post an example that works (at least it correctly sets the AllowOverride):

```

<Directory "/var/www/localhost/htdocs/test">

    AllowOverride None

    Options None

    Order allow,deny

    Allow from all

    AuthType Basic

    AuthUserFile /etc/test/htpasswd

    AuthGroupFile /etc/test/htgroup

    AuthName "Restricted Area"

    require group compliance

    SSLRequireSSL

</Directory>

```

I had to do /etc/init.d/apache reload (obviously) but after that it worked straight away. If your config matches that then check what is coming out in the error_log and the access_log to see if there is something else happening.

Alex

----------

## ggaaron

Ha, works, at least partially, I did some changes after looking at your conf.

Apache asks me for password, but I get "You don't have permission to access /pliki/ on this server." message afterwards=( If I give wrong username/password it asks me again, so user works.

One more thing is that in standard "Index of /" there is no more pliki folder, I must do hostname/pliki/ manually.

```

<Directory "/var/www/localhost/htdocs/">

    Options FollowSymLinks

    AllowOverride None

    Order allow,deny

    Allow from all

#    AuthType Basic

#    AuthName "Standard user and password: guest, guest"

#    AuthUserFile /usr/local/apache/passwd/passwords

#    Require valid-user

</Directory>

<Directory "/var/www/localhost/htdocs/pliki/">

    Options FollowSymLinks

    AllowOverride None

    Order allow,deny

    Allow from all

    AuthType Basic

    AuthName "Standard user and password: guest, guest"

    AuthUserFile /usr/local/apache/passwd/passwords

    Require valid-user

</Directory>

```

----------

## amasidlover

Once you've got that far it should get much easier - apache gives fairly good debug info on why the authentication failed in the error_log or ssl_error_log.  Not sure about the directory listing issue - we never use directory listing with apache.

Alex

----------

## ggaaron

I've turned authentication off, and still I can't access that directory, I can access it with <Directory "/pliki/"> but authentication doesn't work then, with <Directory "/var/www/localhost/htdocs/pliki/"> authentication works, but I can't get to the directory, I get 403 error=/ I'll try some combinations and check the logs.

----------

## ggaaron

Option Indexes solves the 403 problem=) Thank you=) Still I can't see the directory, but maybe it's just other option that isn't enabled. One more time thank you.

----------

## amasidlover

No problem, glad to help.

----------

