2

I have recently discovered that some of the development websites on my local computer (Windows 10/Apache 2.4) are visible from the web when they should not be. the problem is similar to this question, but as no solutions were provided there (all of the questions asked in that post have been checked against, and verified to be correct), I'm asking my own question. Here are the relevant excerpts from the relevant files:

httpd.conf:

# directory and file names obfuscated intentionally
<Directory "P:/HTTP/{hidden}"> 
  AllowOverride All
  AuthType Basic
  AuthName "Private Content - Authorized Use Only"
  AuthUserFile P:/.htpasswd
  Require valid-user
</Directory>

.htaccess (in P:/http/{hidden})

  AuthType Basic
  AuthName "You must log in to view this site."
  AuthUserFile P:/.htpasswd
  Require valid-user

(note: The AuthName entries are set differently in each in order to assist with debugging)

I know that the .htaccess file is being processed because if I add a line that would cause an error, said error occurs, but when no error occurs, I still don't get presented with an HTTP authentication login. The site just appears. This happens from every computer that I attempt to access the site from, not just my local machine. there are no error entries in my log files (except for the intentional HTTP 500 errors that were generated from a garbage line in .htaccess), AllowOverride is set to ALL, as can be seen in my excerpt, above, and there have been no recent changes to Apache since the last time I did a security test, about 2 months ago. The only change in the system has been through updates to Windows, but that should have no bearing regarding this issue.

The interesting thing is, on this same computer I have several VMs, all with different OS/Apache versions, and all of which point to the same document root (a SAMBA share on the local box), and all have similar (or identical) entries in their respective Apache config files, and they all work. It's just the Win10 host machine that has this problem.

Any suggestions or clues would be gratefully received.

Community
  • 1
Dave Morton
  • 211
  • 2
  • 4

2 Answers2

1

This is how my .htaccess file looks like (Apache 2.2)

AuthName "FBI only"
AuthUserFile /etc/apache2/htpasswd-mysite
AuthType basic
Require valid-user
Order Deny,Allow
Deny from all
Allow from Ip.addr.here
Satisfy Any

When my site is accessed from Ip.addr.here then password not required.

In apache configuration file I have

<Directory "/var/www/vhosts/site/www">
     Options            Indexes FollowSymLinks
     AllowOverride      All
     Order              allow,deny
     Allow              from all
</Directory>

So, try adding to htaccess file theses lines

Order Deny,Allow
Deny from all

Edit

Please see http://www.the-art-of-web.com/system/apache-authorization/

From that link:

If you are upgrading a server using the legacy authorization directives you can make them work quickly by enabling (it should be activated by default) mod_access_compat in Apache: sudo a2enmod access_compat

In your case see if you have that module enabled.

Here is helpfull info. https://www.digitalocean.com/community/tutorials/migrating-your-apache-configuration-from-2-2-to-2-4-syntax

Edit 2

Please see this relevant question And check out apache log file!

Community
  • 1
Guntis
  • 673
  • 1
  • 10
  • 20
  • And here I thought that `Allow/Deny` was deprecated in Apache 2.4, so I left that out. but why is it needed now, and not when I installed that .htaccess file over a year ago? As I mentioned before, it worked then. - I'll bet it's the `Satisfy any` part. :) – Dave Morton Dec 18 '16 at 20:50
  • I take it back. It worked exactly once, and in only one browser. Trying to connect from Chrome got me to the login popup. From then on, no matter which browser, I get a direct connection. Even attempts from my laptop go right in without authentication. This is getting strange. – Dave Morton Dec 18 '16 at 20:58
  • Can You try set configuration in `httpd.conf` file (or in according virtualhost file)? not in `.htaccess` – Guntis Dec 19 '16 at 05:35
  • I can and I have, with exactly the same results. It makes no difference whether I use httpd.conf within a `` tag, or within .htaccess in the target folder. Said folder is visible without having to go through authentication. – Dave Morton Dec 20 '16 at 13:56
  • Please see my edited answer – Guntis Dec 20 '16 at 14:12
  • yes, the access compat module is being loaded. the relevant line is this: `LoadModule access_compat_module modules/mod_access_compat.so` - In fact, it's the first module loaded. – Dave Morton Dec 20 '16 at 23:39
  • @DaveMorton see my last edit in answer. – Guntis Dec 21 '16 at 18:29
  • Thanks for the new link. It didn't help, but the thought was appreciated. After looking through the Apache logs, and looking through a number of other possible causes, I finally found the issue. It seems that an "upstream" .htaccess file (residing in the DocRoot, of all places) was overriding the settings that I was trying to use. I _thought_ I had checked it at the start, but I was obviously mistaken. Quite embarrassing, really, but at least I found the cause. – Dave Morton Dec 24 '16 at 18:21
0

After following all of the suggestions given (thank you all for those suggestions), answering questions posted here and elsewhere, and generally pulling out more hair in frustration than I can afford to lose, I finally found the cause of the problem, and thus, the solution. It turns out that there was another .htaccess file in an ancestor folder that was allowing access to all child folders, and this "upstream" .htaccess file was overriding the settings in the file I was trying to make the changes in. This seems odd to me, but commenting out the settings in the ancestor .htaccess caused the other file to start working as intended.

The bottom line here is that if your .htaccess file isn't working as planned, look in the parent folders to see if another file has different settings.

Dave Morton
  • 211
  • 2
  • 4