3

I am trying to configure basic auth for my index file, and only my index file. I have configured it like so:

<Files index.htm>
    Order allow,deny
    Allow from all
    AuthType Basic
    AuthName "Some Auth"
    AuthUserFile "C:/path/to/my/.htpasswd"
    Require valid-user
</Files>

When I visit the page, 401 Authorization Required is returned as expected, but the browser doesn't prompt for the username/password. Some further inspection has revealed that Apache is not sending the WWW-Authenticate header.

GET http://myhost/ HTTP/1.1
Host: myhost
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.100 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3


HTTP/1.1 401 Authorization Required
Date: Tue, 21 Jun 2011 21:36:48 GMT
Server: Apache/2.2.16 (Win32)
Content-Length: 401
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Authorization Required</title>
</head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>

Why is Apache doing this? How can I configure it to send that header appropriately?

It is worth noting that this exact same set of directives work fine if I set them for a whole directory. It is only when I configure them to a directory index that they do not work. This is how I know my .htpasswd and such are fine.

I am using Apache 2.2 on Windows.

On another note, I found this listed as a bug in Apache 1.3. This leads me to believe that this is actually a configuration problem on my end.

Brad
  • 1,389
  • 20
  • 43

4 Answers4

2

I can reproduce this on Apache 2.2 under Fedora. This seems to be a bug. A work-around is to use:

<Files ~ "(^index.htm$)|(^$)">

Here is another similar bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=46685

Mark Wagner
  • 17,764
  • 2
  • 30
  • 47
1

For a simple case, your config looks fine (see this post for an example), so I would start by looking at any factors that might make this a not-simple case and eliminating them until you find the one that's causing the problem.

For instance:

  • Are you accessing "index.htm" specifically, or relying on DirectoryIndex to load it automatically when you access "http://site.url/"?
  • Is "index.htm" configured in DirectoryIndex?
  • Have you tried making it the first option?
  • Since you're on Windows, are you sure the letter case in the filenames is what you think it is? Windows will mangle all-upper-case filenames into sentence case for display, for instance.
  • Have you tried setting this parameter for a file that is not in DirectoryIndex (test.html), to see if that's related?

The Apache docs have a nice page detailing how Directory, Files, and Location work, with some examples, for further reference.

Handyman5
  • 5,177
  • 25
  • 30
1

You might want to start off by adjusting your Files directive (<Files ./index.htm>), otherwise it will match any index.htm files in the entire directory structure under that .htaccess.

The configuration you posted works perfect on a Debian - Apache 2.2 install. I'd suggest attempting to see if placing it in a <Location> directive - and try it on 2 different browsers.

thinice
  • 4,676
  • 20
  • 38
0

I'm thinking that there is a conflict between the directive:

 allow from all

and the directive

 require valid user

I'm wondering if you drop the allow from all from the configuration record, this might do what you want to do.

BTW, I'd change the Files index.html to Location /index.html instead as well.

mdpc
  • 11,698
  • 28
  • 51
  • 65
  • allow from all / require valid user are unrelated. "Allow from all" allows host oriented restrictions, meaning the user won't even be -prompted- if they're not from foo network in this case. – thinice Jun 27 '11 at 21:51