httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ian Zimmerman <>
Subject Re: [users@httpd] htaccess hell
Date Wed, 15 Jun 2011 19:56:54 GMT
On Wed, 15 Jun 2011 21:22:28 +0200
Jeroen Geilman <> wrote:

Ian> >          UserDir public_html
Ian> >          UserDir disabled root
Ian> >
Ian> >          <Directory /home/*/public_html>
Ian> >                  AllowOverride FileInfo AuthConfig Limit Indexes
Ian> >                  Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Ian> >                  <Limit GET POST OPTIONS>
Ian> >                          Order allow,deny
Ian> >                          Allow from all
Ian> >                  </Limit>
Ian> >                  <LimitExcept GET POST OPTIONS>
Ian> >                          Order deny,allow
Ian> >                          Deny from all
Ian> >                  </LimitExcept>
Ian> >          </Directory>
Ian> > </IfModule>
Ian> >

Jeroen> urgh

Well, as I wrote, this is the unchanged configuration from Debian.  If I
have to change it I might as well configure all the authentication there
and not bother with .htaccess files.  (I know that works, BTW.)  The
idea was to avoid editing the original configuration as much as

Ian> > Document root is configured as follows:
Ian> >
Ian> >          <Location />

Jeroen> No. Nonononononononono.  A Documentroot MUST point to a physical
Jeroen> filesystem <Directory>.

I misspoke.  There is a normal DocumentRoot definition elsewhere in the
file which does point to a physical directory, namely /var/www.  I just
meant to say this is how I configured the authentication for /.  See
below why I thought this was preferable.

Ian> >                  Options Indexes FollowSymLinks MultiViews
Ian> >                  AuthType Basic
Ian> >                  AuthName "Root Realm"
Ian> >                  AuthBasicProvider file
Ian> >                  AuthUserFile /etc/apache2/passwd
Ian> >                  Require valid-user
Ian> >                  Order allow,deny
Ian> >                  allow from all
Ian> >          </Location>
Ian> >
Ian> > Now, I try to override the auth settings in a subtree of my
Ian> > ~/public_html by putting a .htaccess file there, which reads as follows:

Jeroen> Authentication SHOULD always be done on physical files if possible.
Jeroen> This prevents people bypassing it by using an alternate URL.

I get this point to a degree.  Still, before diving in I'd like to
understand _why_ it fails as it is.  Is it that all the Location info is
applied after all the physical (and htaccess) info and overrides the

And if I do as you say, it looks like I'd need 2 htaccess files, an
extra one for the top of my public_html, since it won't be covered by
whatever is set for /var/www.  Correct?  And I'll also need to
separately define authentication for all aliases like /usr/share/doc if
I want them covered.  Right?  This is what I was trying to avoid by putting
the Auth stuff in the <Location /> block.

Ian Zimmerman
gpg public key: 1024D/C6FF61AD 
fingerprint: 66DC D68F 5C1B 4D71 2EE5  BD03 8A00 786C C6FF 61AD
Rule 420: All persons more than eight miles high to leave the court.

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message