19

I want to password protect my website, but as soon as I add in the .htpasswd and .htaccess files I get a server error:

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Here is the code I'm using:

.htaccess

AuthType Basic  
AuthName "Top Secret for SongKick eyes only."  
AuthUserFile /webroot/.htpasswd  
require valid-user

.htpasswd

songkick:isS1rCTQE/p8E

I've also tried AuthUserFile /.htpasswd (ie. without "webroot", which is the name of the folder it appears to be in File Manager) but this doesn't work either.

I'm using GoDaddy hosting by the way, if that makes a difference.

Ronan Boiteau
  • 9,608
  • 6
  • 34
  • 56
Leanne Beesley
  • 191
  • 1
  • 1
  • 3
  • 1
    It should show detailed error report in apache log file, check it first. – artahian Mar 18 '13 at 11:59
  • I don't have enough points to comment so just sharing [my answer](https://stackoverflow.com/a/56653615/11551511) from [another forum](https://stackoverflow.com/questions/19060586/htaccess-htpasswd-500-internal-server-error). – Lab Nap Jun 18 '19 at 16:44

5 Answers5

38

According to AuthUserFile, you must supply the complete path to your password file, not the relative path from DocumentRoot, if it is absolute (i.e. starting with a slash).

The AuthUserFile directive sets the name of a textual file containing the list of users and passwords for user authentication. File-path is the path to the user file. If it is not absolute, it is treated as relative to the ServerRoot.

Note that ServerRoot is not DocumentRoot.

If DocumentRoot is /var/www and the password file is /var/www/webroot/.htpasswd, you must say 

AuthUserFile /var/www/webroot/.htpasswd

in your .htaccess file.

You can find out about the absolute path with a small PHP script, e.g.

<?php
echo "Absolute path: ", getcwd();

Put this in the directory, where you want to locate the .htpasswd file, and call it with http://www.example.com/path/to/test.php

Don't forget to remove the script, when you're done.

Said that, you shouldn't put your password file anywhere accessible in your DocumentRoot. Better put it in some place not accessible from the web, i.e. /etc/apache2/htpasswd or wherever it suits you.

Olaf Dietsche
  • 72,253
  • 8
  • 102
  • 198
  • 3
    To add to that: the complete path is not the same as your FTP path. Your FTP could show `12.34.567.89/` while the actual path could be `/var/www/domain.com`. This can be found in your control panel (if present) or through the error logs (if accessible). – Sjeiti Jun 17 '14 at 09:05
4

Two things come to mind.

  1. Is .htpasswd readable by the web server user?

  2. Do you know if Apache is set with AllowOverride all to allow .htaccess to operate as intended?

Giacomo1968
  • 25,759
  • 11
  • 71
  • 103
  • 2
    Hey Jake, agh I don't actually know what either of those things mean. What steps would I take to find those out? – Leanne Beesley Mar 18 '13 at 12:22
  • I was getting a 500 until I changed the permissions on `.htpasswd` to `-rw-r--r--`. – RustyDev Aug 19 '14 at 17:59
  • @horizens Happy this helped! As I pointed out, `.htpasswd` needs to be readable by the web server user. And permissions of `-rw-r--r--` should work fine. – Giacomo1968 Aug 20 '14 at 01:42
1

All of the standard answers (full path, correct format, etc) weren't working for me. After a lot of tracking down I found that the permissions on the parent folder were insufficient, so even though the path in .htaccess was correct and the permissions on the file were rw-r-r, still no go because the parent was rwx-rw--. That can be tough to track down on a host that limits access to up stream folders.

Craig Jacobs
  • 940
  • 2
  • 16
  • 28
1

Major reason of this error is the "AuthUserFile" path. I was having this same issue and i solved it by going in cpanel. By protecting your folder in cPanel, it automatically detects the htpasswd file.

Go to cPanel->Password Protect Directories->Define directory and then create a user. Hope this help you.

Maha Dev
  • 3,915
  • 2
  • 31
  • 50
0

The APache has a bug it is reported here: https://bz.apache.org/bugzilla/show_bug.cgi?id=54735

You have to set password like this:

htpasswd -nb username newpassw > <path-to>/htpasswd

Simillar problem here: Apache 2.4 "..authentication failure..:Password Mismatch"

ButcherFromHell
  • 78
  • 7