Windows – HTTP Authentication being ignored, both in .htaccess AND in httpd.conf

.htaccessapache-2.4http-authenticationwindows

I have recently discovered that some of the development websites on my local computer (Windows 10/Apache 2.4) are visible from the web when they should not be. the problem is similar to this question, but as no solutions were provided there (all of the questions asked in that post have been checked against, and verified to be correct), I'm asking my own question. Here are the relevant excerpts from the relevant files:

httpd.conf:

# directory and file names obfuscated intentionally
<Directory "P:/HTTP/{hidden}"> 
  AllowOverride All
  AuthType Basic
  AuthName "Private Content - Authorized Use Only"
  AuthUserFile P:/.htpasswd
  Require valid-user
</Directory>

.htaccess (in P:/http/{hidden})

  AuthType Basic
  AuthName "You must log in to view this site."
  AuthUserFile P:/.htpasswd
  Require valid-user

(note: The AuthName entries are set differently in each in order to assist with debugging)

I know that the .htaccess file is being processed because if I add a line that would cause an error, said error occurs, but when no error occurs, I still don't get presented with an HTTP authentication login. The site just appears. This happens from every computer that I attempt to access the site from, not just my local machine. there are no error entries in my log files (except for the intentional HTTP 500 errors that were generated from a garbage line in .htaccess), AllowOverride is set to ALL, as can be seen in my excerpt, above, and there have been no recent changes to Apache since the last time I did a security test, about 2 months ago. The only change in the system has been through updates to Windows, but that should have no bearing regarding this issue.

The interesting thing is, on this same computer I have several VMs, all with different OS/Apache versions, and all of which point to the same document root (a SAMBA share on the local box), and all have similar (or identical) entries in their respective Apache config files, and they all work. It's just the Win10 host machine that has this problem.

Any suggestions or clues would be gratefully received.

Best Answer

This is how my .htaccess file looks like (Apache 2.2)

AuthName "FBI only"
AuthUserFile /etc/apache2/htpasswd-mysite
AuthType basic
Require valid-user
Order Deny,Allow
Deny from all
Allow from Ip.addr.here
Satisfy Any

When my site is accessed from Ip.addr.here then password not required.

In apache configuration file I have

<Directory "/var/www/vhosts/site/www">
     Options            Indexes FollowSymLinks
     AllowOverride      All
     Order              allow,deny
     Allow              from all
</Directory>

So, try adding to htaccess file theses lines

Order Deny,Allow
Deny from all

Edit

Please seeĀ http://www.the-art-of-web.com/system/apache-authorization/

From that link:

If you are upgrading a server using the legacy authorization directives you can make them work quickly by enabling (it should be activated by default) mod_access_compat in Apache: sudo a2enmod access_compat

In your case see if you have that module enabled.

Here is helpfull info. https://www.digitalocean.com/community/tutorials/migrating-your-apache-configuration-from-2-2-to-2-4-syntax

Edit 2

Please see this relevant question And check out apache log file!

Related Topic