user2986042 user2986042 - 19 days ago 6
Apache Configuration Question

Why .htacess not blocking Folder in apache ?

I am trying to block a direct access of a particular folder in apache .

My folder structure :
/var/www/html - page.html
- Private folder
- css
-jss

I am trying to protect the private folder with password .

I done following steps :

1 . create a .htacess file in private folder .

.htacess file :

AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user


2 . create a .htpasswd file in /etc/apache2 with
htpasswd



  1. Now i change some rules in /etc/apache2/apache2.conf.



But when i access to 10.0.0.1/private , i can able to browse this directory with out password .

<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>

<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>

<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride AuthConfig
AllowOverride All
Require all granted
</Directory>


<Directory /var/www/>
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AddHandler cgi-script .cgi
</Directory>

<Directory /var/www/>
Options All
</Directory>


AccessFileName .htaccess


Any other problem ? i set write permission to both
.htaccess
and
.htpasswd


sudo chmod 777 /var/www/html/private/.htaccess


and

sudo chmod 777 /etc/apache2/.htaccess


Any suggestions ?

Answer

First, you should never use .htaccess if you can edit .conf files.

For your issue, when AllowOverride directive is set to None, .htaccess files are completely ignored. In this case, the server will not even attempt to read .htaccess files in the filesystem. You can try adding this to your /etc/apache2/apache2.conf:

<Directory "/var/www/html/private">
    AuthType Basic
    AuthName "Restricted Content"
    AuthUserFile /etc/apache2/.htpasswd
    Require valid-user
</Directory>