How to configure basic authentication in Apache httpd virtual hosts?

Question

I'm trying to configure mercurial access using Apache http. It requires authentication. My /etc/apache2/sites-enabled/mercurial looks like this:

NameVirtualHost *:8080

<VirtualHost *:8080>
    UseCanonicalName Off
    ServerAdmin  webmaster@localhost
    AddHandler cgi-script .cgi
    ScriptAliasMatch ^(.*) /usr/lib/cgi-bin/hgwebdir.cgi/$1
</VirtualHost>

Every tutorial I read on the internet tells me to insert these lines:

AuthType Basic
AuthUserFile /usr/local/etc/httpd/users

But when I do it I get the following error:

# /etc/init.d/apache2 reload
Syntax error on line 8 of /etc/apache2/sites-enabled/mercurial:
AuthType not allowed here

My distro is a customized Ubuntu called Turnkey Linux Redmine

score 83 · Accepted Answer · edited Jan 24 '18 at 12:44

83

You should place this inside a Location directive:

<VirtualHost *:8080>

<Location /> #the / has to be there, otherwise Apache startup fails
            Deny from all
            #Allow from (You may set IP here / to access without password)
            AuthUserFile /usr/local/etc/httpd/users
            AuthName authorization
            AuthType Basic
            Satisfy Any # (or all, if IPs specified and require IP + pass)
                        # any means neither ip nor pass
            require valid-user
</Location>
...
</VirtualHost>

edited Jan 24 '18 at 12:44

Markus

103
4

answered Mar 30 '10 at 15:33

Lanselot

1,208
9
5

1

this does not work for me. ` AuthType Kerberos AuthName KerberosLogin KrbServiceName HTTP/intranet.spectrumasa.com KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms DOMAIN.COM Krb5KeyTab /etc/httpd/conf/intranet.keytab require valid-user Options Indexes MultiViews FollowSymLinks AllowOverride All Order allow,deny Allow from all SetOutputFilter DEFLATE ` – shorif2000 May 20 '13 at 14:26
1

The apache doc page explains all this, but annoyingly never gives you a complete example. I copied part of their example, but missed the `require valid-user` portion. A complete example can be a wonderful thing. Thanks. – Buttle Butkus Jul 16 '13 at 08:19
1

@sharif should be , meaning access to the root url of yourhost.com/ should require that auth configuration – agbb Mar 09 '16 at 15:31
1

I needed `` in any case to not get a syntax error when loading the config file. – Perseids Sep 28 '16 at 09:06
3

Why was `` edited to `` with an internal log message of "fixed ... to avoid a lot of trouble", but telling nothing about the real reason in the answer itself? There is no such thing as a `` directive (i.e. one *without* a location) in Apache. *That* definitely causes trouble now. ;) (See e.g. above.) – Sz. Feb 19 '17 at 23:26
This answer contains an annoying mix of old and new directives. Remove the `Deny from all` and `Satisfy Any` and disable the module `mod_access_compat` for a cleaner solution. – Colin 't Hart Feb 28 '22 at 12:09

score 11 · Answer 2 · edited Dec 22 '11 at 23:52

11

I am running Apache2 on ubuntu 10.04 — same problem and thanks for the solution. I found that I had to put the configuration in /etc/apache2/apache2.conf

You can generate the username and password using htpasswd. New file:

$ htpasswd -c /srv/auth/.htpasswd squire

To append to existing file:

$ htpasswd -b /srv/auth/.htpasswd squire2 tickleme2

edited Dec 22 '11 at 23:52

Martin Geisler

1,271
9
23

answered May 24 '11 at 17:31

SLL

111
1
2

score 8 · Answer 3 · answered Mar 30 '10 at 15:35

You can protect a Location or a Directory. For a Directory add something like:

<Directory /some/dir/cgi-bin/>
    Options +ExecCGI
    AddHandler cgi-script .cgi
    AuthType Basic
    AuthName 'Private scripts'
    AuthUserFile '/some/other/dir/.htpasswd'
    Require valid-user
</Directory>

You can also add Deny and Allow directives for a finer control.

Warner · Answer 4 · 2010-03-30T17:08:33.953

4

It sounds like you're specifying the authentication settings within the VirtualHost. Typically, these settings are specified under the Directory directive.

You could also use .htaccesss files, but specifying in the Apache conf is a good default, as it has less exposure.

Apache Documentation

edited Mar 30 '10 at 17:08

answered Mar 30 '10 at 15:27

Warner

23,440
2
57
69

score 3 · Answer 5 · answered Feb 15 '11 at 02:19

I'm running Apache2 on ubuntu 10.10. I've been having problems with all the solutions above, but this worked well (from apache docs):

<Directory /var/www/>
  Options Indexes FollowSymLinks MultiViews
  AllowOverride All
  Order allow,deny
  allow from all
  AuthType Basic
  AuthName "Restricted"
  AuthBasicProvider file
  AuthUserFile /etc/users
  Require user visitor
</Directory>

The biggest difference from the answers above seems to be the AuthBasicProvider directive set to "file" and the Require directive including the "user" bit before the actual username.

Hope this helps someone.

score 3 · Answer 6 · edited Oct 04 '15 at 14:51

3

We are running a memory optimised version of apache, and encountered this problem.

This was due to the following line not being present in the apache configuration:

LoadModule authz_user_module modules/mod_authz_user.so

edited Oct 04 '15 at 14:51

Dennis Nolte

2,848
4
26
36

answered Jan 06 '12 at 12:31

DaveSB

41
1

How to configure basic authentication in Apache httpd virtual hosts?

6 Answers6