httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <>
Subject RE: [users@httpd] Apache-Basic Authentication How To
Date Tue, 11 Mar 2003 08:33:37 GMT
Having read the thread I couldn't resist chipping in...

There are a lot of contradictory directives in your config. This implies
some misunderstanding of what the directives do so it is no wonder that
you get in a pickle. Please take time to read the notes below and refer
to the docs for the directives. When you are sure you understand
everything here, have another look at your config and it should all
become clear. Take heart, setting up basic authentication is really easy
and you have already done most of it. You just have a couple of
misunderstandings which are getting in the way.

Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

>-----Original Message-----
>From: Manu Kits []
>Sent: Montag, 10. März 2003 16:53
>Subject: [users@httpd] Apache-Basic Authentication How To
>I am using Apache 1.3.26 on IBM AIX
>I want to implement Basic Authentication on Apache (Ref: htpasswd)
>I have 2 users with their respective directories:
>USER NAME HOME DIR     public_html
>BILL /home/bill    /home/bill/public_html
>GATES /home/gates   /home/gates/public_html

Fine. Now, how do you want apache to access those directories? You could
use the "UserDir" mechanism but then you'd have to type
http://server/~bill/ to see bill's pages. I think you'd prefer
http://server/bill/ - if so, you need:

	Alias /bill /home/bill/public_html
	Alias /gates /home/gates/public_html

as has already been pointed out by Joshua and others.

>I want to IMPLEMENT Basic Authentication for User BILL and NO 
>for user GATES.
>How can I do that - is it possible to have Basic 
>Authentication for User 
>BILL and NO Authentication for User GATES?
>This is what I have done....
><Directory />

This is the root of your filesystem. Do you really want to start so
high? Usually, you'd limit this to the highest point that encompasses
your content directories, e.g.

	<Directory /home>

>   Options +FollowSymLinks

Hmm. Why do you want to allow symlinks? This makes life complicated and
you are already having basic problems... Anyway, leave it in if you
think you need it.

>   AllowOverride All

Do you know what this does? It allows directives in .htaccess files to
override those in httpd.conf. Now you want to set up the authentication
scheme in httpd.conf so it doesn't make much sense to allow local
.htaccess files to override them. It is quite possible that if you have
a .htaccess file in /home/bill/public_html and it contains certain
directives, you could switch off the authentication you have so
carefully crafted below. I would rather set this to:

	AllowOverride None

Thus disabling all .htaccess files. Then you can be sure that only those
directives in httpd.conf are effective.

>   Order allow,deny
>   Allow from all

This is very sporting - you are allowing access from anywhere to any
file on your system. But don't worry about it for now, it's not causing
the problem you're seeing...

><Directory /home/bill/public_html>
>   Options +FollowSymLinks +SymLinksIfOwnerMatch +Indexes
>   Order allow,deny
>   Allow from all

Note that subdirectories inherit directives from a parent directory. So
you don't really need to repeat these. You only need:

	Options +SymLinksIfOwnerMatch +Indexes

since these are the only additional attributes.

>   AllowOverride All

Ditto. And see note above.

>   AllowOverride AuthConfig

This is redundant since "AllowOverride All" includes "AuthConfig". In
fact, as I mentioned above, it is precisely this attribute that you
*don't* want to allow .htaccess to override. 

>   AuthType Basic
>   AuthName "By Invitation Only"
>   AuthUserFile /usr/local/apache2003/passwd/apache_password
>   Require valid-user

This is perfect and must work. Unless you have problem somewhere else...

><Directory /home/gates/public_html>
>   Options +FollowSymLinks +SymLinksIfOwnerMatch +Indexes
>   Order allow,deny
>   Allow from all

Redundant since inherited from <Directory />.


Look out for .htaccess files in the content directories and for "Satisfy
any" - which would switch off authentication.

Putting it all together, you might try:

Alias /bill  /home/bill/public_html
Alias /gates /home/gates/public_html

<Directory /home>
   Options +FollowSymLinks
   AllowOverride None
   Order allow,deny
   Allow from all

<Directory /home/bill/public_html>
   Options +SymLinksIfOwnerMatch +Indexes
   AuthType Basic
   AuthName "By Invitation Only"
   AuthUserFile /usr/local/apache2003/passwd/apache_password
   Require valid-user

<Directory /home/gates/public_html>
   Options +SymLinksIfOwnerMatch +Indexes

On your error messages:

>[Mon Mar 10 13:31:17 2003] [error] client denied by server

This implies a "Deny" directive somewhere. Since I don't see one in the
config you sent us, it must be somewhere else or in a .htaccess. Maybe
it'll go away if you "AllowOverride None" as recommended above.

>[Mon Mar 10 13:31:31 2003] [error] File does not exist: 

This implies two things:

- Your DocumentRoot is set to /usr/local/apache/htdocs (default)
- You do not have an Alias directive set up as recommended by Joshua.

>STOP MORE SPAM with the new MSN 8 and get 2 months FREE*  
>The official User-To-User support forum of the Apache HTTP 
>Server Project.
>See <URL:> for more info.
>To unsubscribe, e-mail:
>   "   from the digest:
>For additional commands, e-mail:

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message