Lighttpd: htpasswd protection

.htaccesshtpasswdlighttpd

i would use an htpasswd protection for an folder of my website. I use lighttpd an i have write the following code into the lighttpd.conf

# Limit access to ispgen
auth.backend = "htpasswd"
auth.backend.htpasswd.userfile = "/etc/lighttpd/htpasswd/.htpasswd"
auth.require = ( "/var/www/florian-wirths.de/ispgen" =>
    (
    "method"  => "basic",
    "realm"   => "ISPGen",
    "require" => "valid-user"
    ),
)

But it works not for me. What i do wrong?

Best Answer

Provided you've created the .htpasswd file correctly, the only problem I see with your config segment is the auth.require path - this should be the relative url path you are trying to protect, not the absolute file system path. Try this:

auth.require = ( "/ispgen" =>

You may need to stick this inside of an appropriate $HTTP["host"] in your lighttpd.conf.

Good luck!

Related Solutions

Security – WebServer Permission problem, Ubuntu & Lighttpd

If you are using the Ubuntu package and didn't change things too much, the running process name should be lighttpd and the default user and group names are both www-data. Check the server.username and server.groupname entries in your config file (/etc/lighttpd/lighttpd.conf) to be certain.

Running ps -fC lighttpd should tell you if it is running and the user id that is is running as. On my system the output looks like

rik@mary:/home/rik$ ps -fC lighttpd
UID PID PPID C STIME TTY TIME CMD
www-data 667 1 0 03:50 ? 00:00:00 /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf

Everything you want displayed under your document-root should be readable by the www-data user and the directories need to be executable by www-data as well. To test this you may want to try using find as the user www-data. The sudo command can help with this. sudo -u www-data find /var/www/sites/mysite.com/http/media/css/ should succeed. If not try again one step up with sudo -u www-data find /var/www/sites/mysite.com/http/media/ and so on until find can return file and directory names. Once there the run the chown and chmod commands against that directory without the -R (recursive) flag. Then test again.

If you are comfortable with all of the files and directories under /var/www/sites/mysite.com/http/media being readable by anyone, you may want to chmod all the files as 644 and the dirs as 755. If you have files that need to have the execute bit set this can be a bit more of a problem unless the all have distinctive extensions. This is done using the -type, -exec, and -name flags like:

chown -R id:www-data /var/www/sites/mysite.com/http/media
find /var/www/sites/mysite.com/http/media -type d -exec chmod 755 {} \;
find /var/www/sites/mysite.com/http/media -type f -exec chmod 644 {} \;
find /var/www/sites/mysite.com/http/media -type f -name '*.php' -exec chmod 755 {} \;

If you don't want lighty to access other files an/or dirs in the tree, you will need to handle things differently. It is always easier if you keep files you want readable in a different directory from those you want kept out of the public eye.

.htaccess password protection not working in localhost

This will most likely be because you have an AllowOverride statement that is disallowing access to .htaccess files. You will need to configure as a minimum

AllowOverride AuthConfig

within a <Directory> block for /home/Server/Dev

<Directory /home/Server/Dev >
    AllowOverride AuthConfig
    ...
</Directory>

Best Answer

Related Solutions

Security – WebServer Permission problem, Ubuntu & Lighttpd

.htaccess password protection not working in localhost

Related Topic