htaccess doesn't work - always wrong password

Question

I am trying to password protect a directory, and have two files in the directory which should password protected it:

.htaccess
.htpasswd

HTACCESS:

###Contents of .htaccess:
AuthUserFile /var/www/html/path/to/my/directory/.htpasswd
AuthName "Protected Files"
AuthType Basic
Require user admin

HTPASSWD:

###Contents of .htpasswd
admin:oxRHPuqwKiANY

The password is also admin, but no matter what password I try, it is always wrong. It immediately asks for the password again!

What is wrong with this configuration?

Are .htpasswd/.htaccess blocked by the config? All dot files are blocked by default on apache. — Captain Giraffe, Apr 04 '12 at 16:14
@CaptainGiraffe: How do I find it out? The dialog with the login data is popping up. So I think .htaccess should work. Don't know if it is valid for .htpasswd. — testing, Apr 04 '12 at 16:16
The easiest way to check is to check if you can see it if you remove authentication. — Captain Giraffe, Apr 04 '12 at 16:17
The default blocking rule looks like: Order allow,deny Deny from all Satisfy all — Captain Giraffe, Apr 04 '12 at 16:18
@CaptainGiraffe: What do you mean with removing authentication? Deleting .htpasswd and .htaccess? — testing, Apr 04 '12 at 16:21
btw, as @CaptainGiraffe pointed out, htpasswd and htaccess are by default denied access. even if you password protect them, you'll need to specify it in httpd.conf — hjpotter92, Apr 04 '12 at 16:24
No, you want to add password protection to .htaccess and .htpasswd right? Don't remove the files, but remove the authentication for those files. I suspect you will find that they are hidden by default. — Captain Giraffe, Apr 04 '12 at 16:25
@CaptainGiraffe: In fact, I want the password protection for the whole directory including those files. I still struggle with the removing of the authentication. How should I do that? Commenting out `AuthUserFile` and `AuthType`? I have another `.htaccess` on this webspace containing `ErrorDocument 404 /error_404.html` which works as expected. — testing, Apr 04 '12 at 16:34
Ok I completely misunderstood you question, I thought you wanted to password protect your .ht* files. If that is your actual contents of the password file the password looks suspiciously short. — Captain Giraffe, Apr 04 '12 at 17:00
Did you create that .htpasswd file using the `htpasswd` command? — Jon Lin, Apr 04 '12 at 17:16
It's a valid encrypted password, using the crypt() method. `$ openssl passwd -crypt -salt ox admin` gives `oxRHPuqwKiANY` — Mike, Apr 05 '12 at 07:17

score 31 · Answer 1 · answered Apr 05 '12 at 07:14

31

This problem is almost always because apache cannot read the .htpasswd file. There are four causes that come to mind:

it isn't parsing the path correctly... how did you create the .htaccess file? Does it have unix line endings (versus say using Notepad in Windows?
is the path correct? What does the following command (with the path update) show? ls -l /var/www/html/path/to/my/directory/.htpasswd
does the web server have access to the file? chmod 644 and see if that solves the problem.
it can't parse the .htpasswd file: in this case, you are using the crypt() encryption so it does seem you created the file on Linux and it is probably fine. Some types of encryption only work on certain platforms, if in doubt try switching to MD5.

You may find helpful messages in the Apache error log.

My money is on #3.

answered Apr 05 '12 at 07:14

Mike

836
7
9

1. I created the file with Notepad++. So I don't think it has unix line endings. 2. Cannot execute this linux command because I have no shell access. But I checked the path with `dirname(__FILE__)` and adding `.htaccess` at the ending. 3. Files have already 644. 4. I think the encryption should be fine, but I also tested using an MD5 encryption. That didn't worked but I think there should be also some server changes, which I didn't have done because only my provider could do this. In the end, I think `.htpasswd` are blocked by my provider and I can only ask him if he unlocks it. – testing Apr 05 '12 at 07:36
1. You *want* unix line endings; instructions here: [link](http://wiki.secondlife.com/wiki/How_to_avoid_DOS_line_endings_in_Windows_tools#Notepad.2B.2B). 2. Fair. 3. So much for my bet. :( 4. I agree. Re: the provider, blocking apache from accessing .htpasswd would be a very strange configuration; since you are seeing the login prompt, it's permitting the directive from the .htaccess file. Perhaps they force you to keep .htpasswd outside of your web space? – Mike Apr 05 '12 at 08:00
1

My solution was in #3 above. I had the .htpasswd in a /home/user/ folder that the web server could not read. Check those apache error logs, they can help you a lot! – garec Feb 10 '14 at 11:37

score 26 · Answer 2 · edited Jun 08 '18 at 21:52

26

I had a similar issue using MAMP and it was because i was creating .htpasswd by hand. Solution was to use htpasswd command in terminal:

htpasswd -bc .htpasswd someuser somepass

this created the .htpasswd file which worked fine with my .htaccess file which looked like so:

AuthType Basic
AuthName "This site is in alpha and requires a password."
AuthUserFile "/Applications/MAMP/htdocs/mywebsite/.htpasswd"
require valid-user

edited Jun 08 '18 at 21:52

YakovL

7,557
12
62
102

answered Dec 10 '14 at 23:29

sidarcy

2,958
2
36
37

2

Whoever copies-and-pastes this: make sure to include `ErrorDocument 401 "Authorisation Required"` to prevent it from going into an endless loop if you don't get the password right. See my [rejected edit](http://stackoverflow.com/review/suggested-edits/12540997) for an example – ᴍᴇʜᴏᴠ Dec 18 '16 at 17:15

Brad Parks · Answer 3 · 2017-10-02T00:34:00.803

6

There's a small chance you're seeing password protection from a parent folder, not the folder you expect.

If your /etc/apache2/sites-enabled folder has only one file in it, check to see if it has a section for your sites folder, something like:

<Directory /var/www/mysite.com>
   AllowOverride All
</Directory>

otherwise, if it has a file for your site name, like:

/etc/apache/sites-enabled/YOUR_SITE_NAME_HERE.conf

edit that file instead, and make sure that there's an

AllowOverride All

in there. That's the important part! If you want to only allow the minimum, specify:

AllowOverride AuthConfig

instead.

edited Oct 02 '17 at 00:34

answered Jun 27 '13 at 01:26

Brad Parks

66,836
64
257
336

1

worked for me however I sued AllowOverride All are the ** for something specific ? – Oliver Bayes-Shelton Aug 20 '14 at 10:29
1

hey! thanks for the feedback - the **All** was intended to bold the word All - so my mistake... fixed! – Brad Parks Aug 20 '14 at 11:35
1

Works fine. Only that the name of the file should have the '.conf' extension (at least for me) '/etc/apache/sites-enabled/YOUR_SITE_NAME_HERE.conf' – Javi Ps Oct 01 '17 at 19:11

score 4 · Answer 4 · answered Jul 07 '15 at 08:05

4

I had the same problem. Turned out the issue was this line:

Require user admin

If you specify admin you can only access the directory with admin even if you have other users in the .htpasswd file.

If you want to specify the users in the .htpasswd file, you can change the line to:

Require valid-user

answered Jul 07 '15 at 08:05

Betty

512
7
19

You're a life saver. I was banging my head against this (honestly very stupid) bug for half an hour... I tried file encoding, extra lines at the end of the file, different hashing algorithms... all to no avail, until I realized the user I had defined in the .htpasswd file was different from the one in my .htaccess file... sigh... Thanks! – Michael Tontchev Apr 30 '16 at 17:54

score 3 · Answer 5 · answered Jun 17 '16 at 23:48

3

My problem was that I did not give an absolute path for the AuthFile line.

answered Jun 17 '16 at 23:48

Dakusan

6,504
5
32
45

score 1 · Answer 6 · edited Oct 13 '22 at 19:29

I had the same issue.

The password should have specified encryption:

CRYPT_STD_DES - Standard DES-based hash with a two character salt from the alphabet "./0-9A-Za-z".

function standard_salt(){
$a = array_merge(range(0,9),range('a','z'),range('A','Z'));
return (string) $a[rand(0,count($a)-1)].$a[rand(0,count($a)-1)];
}
    
echo(crypt("admin",standard_salt()));

example:

admin:dsbU.we73eauE

Online javascript encripter is also available.

If it still does not work, take care of these:

use unix linebreaks
use correct AuthUserFile path, You can get it using: echo $_SERVER['DOCUMENT_ROOT'];
set file readable: chmod(".htpasswd",0644);

score 0 · Answer 7 · answered Oct 05 '13 at 15:35

0

Also, make sure your password file is ANSI-encoded.

answered Oct 05 '13 at 15:35

tkotisis

3,442
25
30

I had not, but the change to ANSI didn't solve the same problem like the stated one. – falcon May 15 '14 at 14:46

score 0 · Answer 8 · answered Oct 14 '15 at 07:55

I spent about 2 hours to resolve the same issue. But problem was in nginx. I have nginx as front web server and there was a line for proxy configuration:

proxy_set_header Authorization "";

It overrides Authorization field and apache don't receive login and password typed in.

I just commented out this line and it worked.

score 0 · Answer 9 · answered Oct 16 '19 at 09:53

0

use

htpasswd -b .htpasswd admin admin

to use the password from command line.

answered Oct 16 '19 at 09:53

Kagan Kongar

81
1
4

score 0 · Answer 10 · answered Sep 13 '22 at 08:27

Also, if you are scatterbrained like me, make sure you have some content to display, like some index.html file in the directory. Otherwise, it will look like authentication failed, while it's just that the server is not allowed to display the directory listing.

htaccess doesn't work - always wrong password

10 Answers10

Linked