Category Archives: .htpasswd

Force http auth off on certain path

I have a two sites. One site is symlinked into a sub folder of the first e.g.

|-symlinked-site -> /var/www/site2/

So in the browser url I get something like

Site 1 has an httaccess auth rule set up like so in the root folder;

# Do the regex check against the URI here, if match, set the "require_auth" var
SetEnvIf Request_URI ^/path/to/auth-only/dir require_auth=true

# Auth stuff
AuthUserFile /var/www/
AuthName "Password Protected"
AuthType Basic

# Setup a deny/allow
Order Deny,Allow
# Deny from everyone
Deny from all
# except if either of these are satisfied
Satisfy any
# 1. a valid authenticated user
Require valid-user
# or 2. the "require_auth" var is NOT set
Allow from env=!require_auth

For some reason Site 2 is getting a prompt for the password, but I cannot figure out why it would do so, and I've tried a few variations of forcing Allow from all or replicating the full auth config from site 1 to site 2.

I've checked the environment variables in PHP and require_auth does not exist in on the second site. If I modify the rule to set require_auth on the valid url of site 2 then I can get the require_auth variable to show up, so I'm not sure why any part of the htaccess rule would prompt for this password.

Is there anyway I can explicitly turn off any kind of ht password check for the site 2 file path, I do not require it at all.

.htaccess error 401 ignoring

So I inherited a site from an old webmaster and I had to do a server more

Now I have a login area which simply doesn't work, either I get a 500 server error on page load or it just redirects itself back to directing page.

I have managed to get it down I think to the .htaccess file.

#AuthUserFile /home/danniih/members_data/.htpasswd
AuthUserFile /home/jv3nvu050wnp/public_html/cgi-bin/dm5FZ7Qa9o4CYkfHXse6vrx3AcMSjUPn/password/.htpasswd
AuthName " VIP Area"
AuthType Basic

<Limit GET POST>
require valid-user

This is what I have and the above link is correct but I'm getting an error on the server as follows

[Fri May 04 08:27:39.800913 2018] [core:notice] [pid 561177:tid 139903864063744] AH00113: /home/jv3nvu050wnp/public_html/.htaccess:3 cannot use a full URL in a 401 ErrorDocument directive --- ignoring!

I'm now totally stumped

trouble with .htaccess authorizations

I have a Raspbian LAMP web server just for experimentation and I wanted to lock the main page with .htaccess. It does not work as it should. It will read the first line "AuthTyper Basic" and lock the page but nothing more after that. The "AuthName" don't show up on the login pop-up. and the username and password do not work. What am I doing wrong?

  • Apache/2.4.25 (Raspbian)


# This is the main Apache server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See for detailed information about
# the directives and /usr/share/doc/apache2/README.Debian about Debian specific
# hints.
# Summary of how the Apache 2 configuration works in Debian:
# The Apache 2 web server configuration in Debian is quite different to
# upstream's suggested way to configure the web server. This is because Debian's
# default Apache2 installation attempts to make adding and removing modules,
# virtual hosts, and extra configuration directives as flexible as possible, in
# order to make automating the changes and administering the server as easy as
# possible.

# It is split into several files forming the configuration hierarchy outlined
# below, all located in the /etc/apache2/ directory:
#   /etc/apache2/
#   |-- apache2.conf
#   |   `--  ports.conf
#   |-- mods-enabled
#   |   |-- *.load
#   |   `-- *.conf
#   |-- conf-enabled
#   |   `-- *.conf
#   `-- sites-enabled
#       `-- *.conf
# * apache2.conf is the main configuration file (this file). It puts the pieces
#   together by including all remaining configuration files when starting up the
#   web server.
# * ports.conf is always included from the main configuration file. It is
#   supposed to determine listening ports for incoming connections which can be
#   customized anytime.
# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/
#   directories contain particular configuration snippets which manage modules,
#   global configuration fragments, or virtual host configurations,
#   respectively.
#   They are activated by symlinking available configuration files from their
#   respective *-available/ counterparts. These should be managed by using our
#   helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See
#   their respective man pages for detailed information.
# * The binary is called apache2. Due to the use of environment variables, in
#   the default configuration, apache2 needs to be started/stopped with
#   /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not
#   work with the default configuration.

# Global configuration

# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
# NOTE!  If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the Mutex documentation (available
# at <URL:>);
# you will save yourself a lot of trouble.
# Do NOT add a slash at the end of the directory path.
#ServerRoot "/etc/apache2"

# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#Mutex file:${APACHE_LOCK_DIR} default

# The directory where shm and other runtime files will be stored.

DefaultRuntimeDir ${APACHE_RUN_DIR}

# PidFile: The file in which the server should record its process
# identification number when it starts.
# This needs to be set in /etc/apache2/envvars

# Timeout: The number of seconds before receives and sends time out.
Timeout 300

# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
KeepAlive On

# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
MaxKeepAliveRequests 100

# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
KeepAliveTimeout 5

# These need to be set in /etc/apache2/envvars

# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., (on) or (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
HostnameLookups Off

# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
ErrorLog ${APACHE_LOG_DIR}/error.log

# LogLevel: Control the severity of messages logged to the error_log.
# Available values: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the log level for particular modules, e.g.
# "LogLevel info ssl:warn"
LogLevel warn

# Include module configuration:
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf

# Include list of ports to listen on
Include ports.conf

# Sets the default security model of the Apache2 HTTPD server. It does
# not allow access to the root filesystem outside of /usr/share and /var/www.
# The former is used by web applications packaged in Debian,
# the latter may be used for local directories served by the web server. If
# your system is serving content from a sub-directory in /srv you must allow
# access here, or in any related virtual host.
<Directory />
    Options FollowSymLinks
    AllowOverride None
    Require all denied

<Directory /usr/share>
    AllowOverride None
    Require all granted

<Directory /var/www/>
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted

#<Directory /srv/>
#   Options Indexes FollowSymLinks
#   AllowOverride None
#   Require all granted

# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives.  See also the AllowOverride
# directive.
AccessFileName .htaccess

# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
<FilesMatch "^\.ht">
    Require all denied

# The following directives define some format nicknames for use with
# a CustomLog directive.
# These deviate from the Common Log Format definitions in that they use %O
# (the actual bytes sent including headers) instead of %b (the size of the
# requested file), because the latter makes it impossible to detect partial
# requests.
# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended.
# Use mod_remoteip instead.
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

# Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.

# Include generic snippets of statements
IncludeOptional conf-enabled/*.conf

# Include the virtual host configurations:
IncludeOptional sites-enabled/*.conf

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Include /etc/phpmyadmin/apache.conf


AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /var/www/html/.htpasswd
Require valid-user



I have tested the directories 100times in the .htaccess and they should be correct. I would like to know why this always happens. I have had a lot of trouble with .htaccess authorizations before.

.htpasswd android bug virtual keyboard

If a website password via .htpasswd when the page first loads on your mobile android in a input(text, search) you can only enter number characters, all other characters of any layout are not responsive and do not appear in the input value.

When you open a new window of the same site everything works as it should.

Has anyone faced such a problem? How did you decide on?

See video on youtube: ===> android bug <===

htaccess: mod_rewrite with http auth in a subfolder gives a 404

I have a strange problem with a site I'm working on, it really drives me crazy, although it should just be working.

I have a site at, and a CMS at All request except images, css etc and the /cms folder, are redirected to, with a .htaccess file in the root.

In the /cms folder, there is a basic http auth, with a .htaccess and .htpasswd in that folder. is working good, except is redirected to mesam/mesam.php, making the /cms folder unreachable.

Now, two ways to get the cms reachable: 1) I remove the .htacces in the root folder, breaking the whole site (except /cms) 2) I remove /cms/.htaccess, the site itself keeps working, results in an unsecured CMS, which I of course do not want.

Here some contents:

RewriteEngine On    
RewriteCond %{REQUEST_URI}  !^/cms
RewriteCond %{REQUEST_URI}  !(\.png|\.jpg|\.gif|\.jpeg|\.bmp|\.css|\.js|favicon\.ico|\.svg|\.pdf|\.ino)$ [NC]    
RewriteRule (.*)  mesam/mesam.php [L]

AuthName "CMS"
AuthUserFile <<www_root>>/cms/.htpasswd
AuthGroupFile /dev/null
AuthType Basic
require valid-user

The strange thing is, this exactly same setup works for another site ( at the same server, the same directory structure and the same htaccess-contents. Google proved helpfull, in the way that it told me that the setup I use is correct (as proven by

I really hope there is someone who can help me out. I'm running PHP7 on Apache, on a shared hosting server with CPanel (and some Linux distro running). The PHP and server settings for and are the same.

I will like to create a website filesharing for my client

Hi everyone and thanks to take your time to answer me this question, i will like to ask you. I am a junior front end developer and I am trying to create a website for my company that will be easier to comunicate with our client, i will like a filesharing website where my client can drop anytype of file, and has only acces to certain file from their folder, i already create a login page with php and mysql, but i dont know what should i do for the rest how can i build the drop in file system and also let them access to their file only on their folder. I will like to know which language i should use , i read a lot and can not find any of them in internet i try the htacess but the problem is only to connect with one page, allowed me to do this. I use sql and php for the login contact with no sign in , i try to find a tutoriel video on youtube but i think i dont put the correct word in english, my english is not that good,

Thank you very much for the help