0

I added .htaccess and .htpasswd to a dir in order to password protect it. That part works.

AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /path/.htpasswd
Require valid-user

But now, php scripts inside this dir fail to execute.

error.log shows:

failed to open stream: HTTP request failed! HTTP/1.1 401 Authorization Required

The lines of the script it is complaining about look like this:

$data = file("http://site/script1.php");
$data2 = file("http://site/script2.php");
$data3 = file("http://site/script3.php");

Do I need to add something to the .htaccess file in order to allow php execution in this dir?

EDIT:

ha...well I worked around the problem. I simply password protected the php script in question rather than the whole directory:

 <Files "script.php">
  require valid-user
 </Files>
Corepuncher
  • 181
  • 1
  • 3
  • 9
  • Also, using HTTP requests to fetch files from the same server is stupid and unefficient; use PHP's file IO functions instead. –  Feb 24 '15 at 19:49
  • Well, I am a stupid and "unefficient" programmer since I am a beginner. It would be helpful if you could provide a specific example of how I would change it. – Corepuncher Feb 24 '15 at 19:52
  • 1
    Don't take it personally, but yeah that approach is definitely stupid and unefficient for 99% of cases, the only exceptions may be servers running in separate containers where you can't use permissions nor symlinks to give the PHP code direct file-level access to that file. –  Feb 24 '15 at 19:56
  • Take a look at this similar answer of mine on SO : http://stackoverflow.com/questions/28127365/sharing-a-file-between-multiple-virtualhosts/28392441#28392441 –  Feb 24 '15 at 19:56
  • Given that you're calling PHP scripts instead of pure files changes things a bit, but still, you're better off `include`'ing these scripts directly rather than calling them via HTTP and causing unnecessary load on the HTTP server. –  Feb 24 '15 at 19:58
  • Just out of curiosity, what is it about adding a simple .htaccess that short circuits those scripts? If I remove .htaccess, then everything runs normally. – Corepuncher Feb 24 '15 at 20:00
  • 1
    I've thought about that too (adding `require local`) but 1) that would allow anyone on the server, no matter what their account or privileges are to access and execute these files, and 2) the performance disaster is still there as you're causing unnecessary load by doing an extra HTTP request (not to mention the constant noise in Apache's log). –  Feb 24 '15 at 20:02

1 Answers1

0

If your PHP scripts try to fetch some pages from your site via HTTP requests, then this happens.

You should change the scripts so that they add the HTTP authentication information to the requests, or so that they don't perform these HTTP requests.

Tero Kilkanen
  • 34,499
  • 3
  • 38
  • 58
  • Thank you, that indeed looks to be the case. I have no idea how to add "authentication information", but I'll try to look it up. – Corepuncher Feb 24 '15 at 19:54