htaccess problem

[Guest]

I am having trouble getting my htaccess to work. I have done this before and I know how to do it but it just will not work.

 

Is there something that I could have changed in httpd.conf to make this not work?

 

No matter how I configure the htaccess I can just waltz right on in to the admin site with no protection.

 

Thanks in advance, Kirk

[toolcrazy]

There is a security mod for admin available. Works really cool. Your even able to give certain people different levels on access to the admin.

 

Admin Authentication for 2.2

http://www.oscommerce.com/community/contributions,687

[toolcrazy]

Admin Access With Levels

http://www.oscommerce.com/community/contributions,1

 

Opps, This is the one I have.

[Guest]

Thanks, I new it was there but I just did not want to use it, I was not sure if it would be secure enough.

It also would make me feel like I was not really fixing the problem at hand,,, just riging it.

 

However, I may have to break down and use it If I do not get this thing fixed soon.

 

If I chmod the wrong file to 777 or 600 would it cause a problem?

 

That is what I have been doing to secure and unsecure it.

[dreamscape]

the secure admin mod really isn't that secure... you can waltz into the admin/backups directory and grab the backup of the database (which then will give you the login/password for admin, and info on all customers registered)....

 

.htaccess is much better...

 

kirk, like I said earlier Cpanel made mine for me... let me check out the httpd.conf and .htaccess and .htpassword files on my site and see how Cpanel does it.

[Guest]

thanks, the only thing left that I can think of is that my httpd.conf might have a bad entry somewhere, or as I said, if chmoding the wrong file can mess something up.

[toolcrazy]

I know what you mean. Luckily I waited till Ian finished his OSC Loaded v4 before I started my store. So I didn't have to install the mod. But, My provider does provide me with a protected directory, so I have my admin behind both.

 

The .htacces file won't work unless the httpd.conf file in apache is set up to allow it to. There is a post that tell you what needs to be changed, but it does you no good on paid server space. Then you have to contact your provider.

[dreamscape]

ok this is how mine looks...

 

.htaccess in /home/newage/public_html/admin looks like:

AuthType Basic

AuthName "Administration Area"

AuthUserFile /home/newage/.htpasswds/admin/passwd

 

require valid-user

.htaccess is chmoded 644

 

then in /home/newage/.htpasswds/admin/ the file passwd is chmoded 644 and looks like:

username:encrypted_password

 

I think thats all that Cpanel did... you can use this page to make your password encrypted for htaccess if you don't have anything else to do it:

http://www.e2.u-net.com/htaccess/make.htm

[Guest]

Ok I have my own server, and I think the post you are talking about tool crazy might be the same thing that I found on apache.orgs faq, it says

the following:

 

My .htaccess files are being ignored.

This is almost always due to your AllowOverride directive being set incorrectly for the directory in question. If it is set to None then .htaccess files will not even be looked for. If you do have one that is set, then be certain it covers the directory you are trying to use the .htaccess file in. This is normally accomplished by ensuring it is inside the proper Directory container.

 

I added a directory listing for the admin folder and placed a AllowOveride all .

 

but that did not help

 

I will try dreamscapes script and see what happens.

 

I am starting to get the fealing that it is something real stupid that I am missing, I don't know I will keep trying,

Thanks for the help

[Guest]

Ok after an hour and a half trying to figure out how to restart apache from a telnet I used the script as dreamscape placed it and restarted httpd and still I can waltz right on in to the admin folder, htaccess is completly ignored

[dreamscape]

make sure in httpd.conf that

 

AccessFileName .htaccess

 

isn't commented out

[Guest]

Ok this is driving me crazy

 

I made .htaccess and placed in in admin.

the script is as follows

 

AuthName "Web Site Authentication"

AuthType Basic

AuthUserFile /root/htpasswd

require valid-user

 

then I created htpasswd and placed in in root

 

script is as follows

 

tctadmin:encrypted password

 

I have also tried ading things to http.conf

I am going to paste it here so sorry for the extream size of the paste, could someone please take a look at it and tell me if they see anything wrong.

 

 

 

 

 

 

 

 

 

 

## httpd.conf - configuration for the Apache web server

#

# Generated automatically... if you edit manually, the changes will be lost

# the next time you run "apacheconfig".

#

# What we listen to

#

ServerType StandAlone

ServerRoot /etc/httpd/

 

 

 

# We don't handle this yet...

 

 

#

# Dynamic Shared Object (DSO) Support

#

# To be able to use the functionality of a module which was built as a DSO you

# have to place corresponding `LoadModule' lines at this location so the

# directives contained in it are actually available _before_ they are used.

# Please read the file README.DSO in the Apache 1.3 distribution for more

# details about the DSO mechanism and run `httpd -l' for the list of already

# built-in (statically linked and thus always available) modules in your httpd

# binary.

#

# Note: The order is which modules are loaded is important. Don't change

# the order below without expert advice.

#

# Example:

# LoadModule foo_module modules/mod_foo.so

 

#LoadModule mmap_static_module modules/mod_mmap_static.so

LoadModule vhost_alias_module modules/mod_vhost_alias.so

LoadModule env_module modules/mod_env.so

LoadModule config_log_module modules/mod_log_config.so

LoadModule agent_log_module modules/mod_log_agent.so

LoadModule referer_log_module modules/mod_log_referer.so

#LoadModule mime_magic_module modules/mod_mime_magic.so

LoadModule mime_module modules/mod_mime.so

LoadModule negotiation_module modules/mod_negotiation.so

LoadModule status_module modules/mod_status.so

LoadModule info_module modules/mod_info.so

LoadModule includes_module modules/mod_include.so

LoadModule autoindex_module modules/mod_autoindex.so

LoadModule dir_module modules/mod_dir.so

LoadModule cgi_module modules/mod_cgi.so

LoadModule asis_module modules/mod_asis.so

LoadModule imap_module modules/mod_imap.so

LoadModule action_module modules/mod_actions.so

#LoadModule speling_module modules/mod_speling.so

LoadModule userdir_module modules/mod_userdir.so

LoadModule alias_module modules/mod_alias.so

LoadModule rewrite_module modules/mod_rewrite.so

LoadModule access_module modules/mod_access.so

LoadModule auth_module modules/mod_auth.so

LoadModule anon_auth_module modules/mod_auth_anon.so

LoadModule db_auth_module modules/mod_auth_db.so

#LoadModule digest_module modules/mod_digest.so

#LoadModule proxy_module modules/libproxy.so

#LoadModule cern_meta_module modules/mod_cern_meta.so

LoadModule expires_module modules/mod_expires.so

LoadModule headers_module modules/mod_headers.so

#LoadModule usertrack_module modules/mod_usertrack.so

#LoadModule example_module modules/mod_example.so

#LoadModule unique_id_module modules/mod_unique_id.so

LoadModule setenvif_module modules/mod_setenvif.so

#LoadModule bandwidth_module modules/mod_bandwidth.so

#LoadModule put_module modules/mod_put.so

<IfDefine HAVE_PERL>

LoadModule perl_module modules/libperl.so

</IfDefine>

<IfDefine HAVE_PHP>

LoadModule php_module modules/mod_php.so

</IfDefine>

<IfDefine HAVE_PHP3>

LoadModule php3_module modules/libphp3.so

</IfDefine>

<IfDefine HAVE_PHP4>

LoadModule php4_module modules/libphp4.so

</IfDefine>

<IfDefine HAVE_DAV>

LoadModule dav_module modules/libdav.so

</IfDefine>

<IfDefine HAVE_ROAMING>

LoadModule roaming_module modules/mod_roaming.so

</IfDefine>

<IfDefine HAVE_SSL>

LoadModule ssl_module modules/libssl.so

</IfDefine>

 

# Reconstruction of the complete module list from all available modules

# (static and shared ones) to achieve correct module execution order.

# [WHENEVER YOU CHANGE THE LOADMODULE SECTION ABOVE UPDATE THIS, TOO]

ClearModuleList

#AddModule mod_mmap_static.c

AddModule mod_vhost_alias.c

AddModule mod_env.c

AddModule mod_log_config.c

AddModule mod_log_agent.c

AddModule mod_log_referer.c

#AddModule mod_mime_magic.c

AddModule mod_mime.c

AddModule mod_negotiation.c

AddModule mod_status.c

AddModule mod_info.c

AddModule mod_include.c

AddModule mod_autoindex.c

AddModule mod_dir.c

AddModule mod_cgi.c

AddModule mod_asis.c

AddModule mod_imap.c

AddModule mod_actions.c

#AddModule mod_speling.c

AddModule mod_userdir.c

AddModule mod_alias.c

AddModule mod_rewrite.c

AddModule mod_access.c

AddModule mod_auth.c

AddModule mod_auth_anon.c

AddModule mod_auth_db.c

#AddModule mod_digest.c

#AddModule mod_proxy.c

#AddModule mod_cern_meta.c

AddModule mod_expires.c

AddModule mod_headers.c

#AddModule mod_usertrack.c

#AddModule mod_example.c

#AddModule mod_unique_id.c

AddModule mod_so.c

AddModule mod_setenvif.c

#AddModule mod_bandwidth.c

#AddModule mod_put.c

<IfDefine HAVE_PERL>

AddModule mod_perl.c

</IfDefine>

<IfDefine HAVE_PHP>

AddModule mod_php.c

</IfDefine>

<IfDefine HAVE_PHP3>

AddModule mod_php3.c

</IfDefine>

<IfDefine HAVE_PHP4>

AddModule mod_php4.c

</IfDefine>

<IfDefine HAVE_DAV>

AddModule mod_dav.c

</IfDefine>

<IfDefine HAVE_ROAMING>

AddModule mod_roaming.c

</IfDefine>

<IfDefine HAVE_SSL>

AddModule mod_ssl.c

</IfDefine>

 

 

 

 

 

ServerName www.mysite.com

 

ServerAdmin admin-x@i-tct.com

 

Listen *:8000

 

Port 80

 

ScoreBoardFile /var/run/httpd.scoreboard

 

 

# Where do we put the lock and pif files?

LockFile /var/lock/httpd.lock

PidFile /var/run/httpd.pid

CoreDumpDirectory "/etc/httpd"

 

# Documents

DocumentRoot /myfolder/catalog

UserDir public_html

IndexOptions FancyIndexing

 

 

# Who runs the server?

User apache

Group apache

 

# Performance parameters

MaxClients 150

TimeOut 300

KeepAlive false

MaxKeepAliveRequests 100

MaxRequestsPerChild 100

KeepAliveTimeout 15

MinSpareServers 5

MaxSpareServers 20

StartServers 8

 

# Error documents

 

 

 

# Misc

 

 

AccessFileName .htaccess

UseCanonicalName on

TypesConfig /etc/mime.types

DefaultType "text/plain"

 

 

# Defaults for virtual hosts

ServerSignature on

 

 

 

 

 

 

 

 

 

# Logs

 

 

ErrorLog /var/log/httpd/error_log

 

LogLevel warn

 

HostNameLookups Off

 

 

 

 

# Need to fix this

LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined

LogFormat "%h %l %u %t "%r" %>s %b" common

LogFormat "%{Referer}i -> %U" referer

LogFormat "%{User-agent}i" agent

CustomLog /var/log/httpd/access_log common

 

Alias /icons/ "/var/www/icons/"

ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

#

# ScriptAlias: This controls which directories contain server scripts.

# ScriptAliases are essentially the same as Aliases, except that

# documents in the realname directory are treated as applications and

# run by the server when requested rather than as documents sent to the client.

# The same rules about trailing "/" apply to ScriptAlias directives as to

# Alias.

#

ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

 

#

# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased

# CGI directory exists, if you have that configured.

#

<Directory "/var/www/cgi-bin">

AllowOverride None

Options ExecCGI

Order allow,deny

Allow from all

</Directory>

 

#

# Redirect allows you to tell clients about documents which used to exist in

# your server's namespace, but do not anymore. This allows you to tell the

# clients where to look for the relocated document.

# Format: Redirect old-URI new-URL

#

 

#

# Directives controlling the display of server-generated directory listings.

#

 

#

# FancyIndexing: whether you want fancy directory indexing or standard

#

IndexOptions FancyIndexing

 

#

# AddIcon* directives tell the server which icon to show for different

# files or filename extensions. These are only displayed for

# FancyIndexed directories.

#

AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip

 

AddIconByType (TXT,/icons/text.gif) text/*

AddIconByType (IMG,/icons/image2.gif) image/*

AddIconByType (SND,/icons/sound2.gif) audio/*

AddIconByType (VID,/icons/movie.gif) video/*

 

AddIcon /icons/binary.gif .bin .exe

AddIcon /icons/binhex.gif .hqx

AddIcon /icons/tar.gif .tar

AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv

AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip

AddIcon /icons/a.gif .ps .ai .eps

AddIcon /icons/layout.gif .html .shtml .htm .pdf

AddIcon /icons/text.gif .txt

AddIcon /icons/c.gif .c

AddIcon /icons/p.gif .pl .py

AddIcon /icons/f.gif .for

AddIcon /icons/dvi.gif .dvi

AddIcon /icons/uuencoded.gif .uu

AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl

AddIcon /icons/tex.gif .tex

AddIcon /icons/bomb.gif core

 

AddIcon /icons/back.gif ..

AddIcon /icons/hand.right.gif README

AddIcon /icons/folder.gif ^^DIRECTORY^^

AddIcon /icons/blank.gif ^^BLANKICON^^

 

#

# DefaultIcon: which icon to show for files which do not have an icon

# explicitly set.

#

DefaultIcon /icons/unknown.gif

 

#

# AddDescription: allows you to place a short description after a file in

# server-generated indexes. These are only displayed for FancyIndexed

# directories.

# Format: AddDescription "description" filename

#

#AddDescription "GZIP compressed document" .gz

#AddDescription "tar archive" .tar

#AddDescription "GZIP compressed tar archive" .tgz

 

#

# ReadmeName: the name of the README file the server will look for by

# default, and append to directory listings.

#

# HeaderName: the name of a file which should be prepended to

# directory indexes.

#

# The server will first look for name.html and include it if found.

# If name.html doesn't exist, the server will then look for name.txt

# and include it as plaintext if found.

#

ReadmeName README

HeaderName HEADER

 

#

# IndexIgnore: a set of filenames which directory indexing should ignore

# and not include in the listing. Shell-style wildcarding is permitted.

#

IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t

 

#

# AddEncoding: allows you to have certain browsers (Mosaic/X 2.1+) uncompress

# information on the fly. Note: Not all browsers support this.

# Despite the name similarity, the following Add* directives have nothing

# to do with the FancyIndexing customization directives above.

#

AddEncoding x-compress Z

AddEncoding x-gzip gz tgz

 

#

# AddLanguage: allows you to specify the language of a document. You can

# then use content negotiation to give a browser a file in a language

# it can understand. Note that the suffix does not have to be the same

# as the language keyword --- those with documents in Polish (whose

# net-standard language code is pl) may wish to use "AddLanguage pl .po"

# to avoid the ambiguity with the common suffix for perl scripts.

#

AddLanguage en .en

AddLanguage fr .fr

AddLanguage de .de

AddLanguage da .da

AddLanguage el .el

AddLanguage it .it

 

#

# LanguagePriority: allows you to give precedence to some languages

# in case of a tie during content negotiation.

# Just list the languages in decreasing order of preference.

#

LanguagePriority en fr de

 

#

# AddType: allows you to tweak mime.types without actually editing it, or to

# make certain files to be certain types.

#

# The following is for PHP4 (conficts with PHP/FI, below):

<IfModule mod_php4.c>

AddType application/x-httpd-php .php4 .php3 .phtml .php

AddType application/x-httpd-php-source .phps

</IfModule>

 

# The following is for PHP3:

<IfModule mod_php3.c>

AddType application/x-httpd-php3 .php3

AddType application/x-httpd-php3-source .phps

</IfModule>

 

# The following is for PHP/FI (PHP2):

<IfModule mod_php.c>

AddType application/x-httpd-php .phtml

</IfModule>

 

AddType application/x-tar .tgz

 

#

# AddHandler: allows you to map certain file extensions to "handlers",

# actions unrelated to filetype. These can be either built into the server

# or added with the Action command (see below)

#

# If you want to use server side includes, or CGI outside

# ScriptAliased directories, uncomment the following lines.

#

# To use CGI scripts:

#

#AddHandler cgi-script .cgi

 

#

# To use server-parsed HTML files

#

AddType text/html .shtml

AddHandler server-parsed .shtml

 

#

# Uncomment the following line to enable Apache's send-asis HTTP file

# feature

#

#AddHandler send-as-is asis

 

#

# If you wish to use server-parsed imagemap files, use

#

AddHandler imap-file map

 

#

# The following directives modify normal HTTP response behavior.

# The first directive disables keepalive for Netscape 2.x and browsers that

# spoof it. There are known problems with these browser implementations.

# The second directive is for Microsoft Internet Explorer 4.0b2

# which has a broken HTTP/1.1 implementation and does not properly

# support keepalive when it is used on 301 or 302 (redirect) responses.

#

BrowserMatch "Mozilla/2" nokeepalive

BrowserMatch "MSIE 4.0b2;" nokeepalive downgrade-1.0 force-response-1.0

 

#

# The following directive disables HTTP/1.1 responses to browsers which

# are in violation of the HTTP/1.0 spec by not being able to grok a

# basic 1.1 response.

#

BrowserMatch "RealPlayer 4.0" force-response-1.0

BrowserMatch "Java/1.0" force-response-1.0

BrowserMatch "JDK/1.0" force-response-1.0

 

 

# If the perl module is installed, this will be enabled.

<IfModule mod_perl.c>

Alias /perl/ /var/www/perl/

<Location /perl>

SetHandler perl-script

PerlHandler Apache::Registry

Options +ExecCGI

</Location>

</IfModule>

 

#

# Allow http put (such as Netscape Gold's publish feature)

# Use htpasswd to generate /etc/httpd/conf/passwd.

# You must unremark these two lines at the top of this file as well:

#LoadModule put_module modules/mod_put.so

#AddModule mod_put.c

#

#Alias /upload /tmp

#<Location /upload>

# EnablePut On

# AuthType Basic

# AuthName Temporary

# AuthUserFile /etc/httpd/conf/passwd

# EnableDelete Off

# umask 007

# <Limit PUT>

# require valid-user

# </Limit>

#</Location>

 

#

# Allow server status reports, with the URL of http://servername/server-status

# Change the ".your_domain.com" to match your domain to enable.

#

#<Location /server-status>

# SetHandler server-status

# Order deny,allow

# Deny from all

# Allow from .your_domain.com

#</Location>

 

#

# Allow remote server configuration reports, with the URL of

# http://servername/server-info (requires that mod_info.c be loaded).

# Change the ".your_domain.com" to match your domain to enable.

#

#<Location /server-info>

# SetHandler server-info

# Order deny,allow

# Deny from all

# Allow from .your_domain.com

#</Location>

 

# Allow access to local system documentation from localhost

Alias /doc/ /usr/share/doc/

<Location /doc>

order deny,allow

deny from all

allow from localhost

Options Indexes FollowSymLinks

</Location>

 

#

<IfDefine HAVE_SSL>

##

## SSL Virtual Host Context

##

 

# Apache will only listen on port 80 by default. Defining the virtual server

# (below) won't make it automatically listen on the virtual server's port.

Listen 443

 

<VirtualHost _default_:443>

 

# General setup for the virtual host

DocumentRoot "/myfolder/catalog"

 

# SSL Engine Switch:

# Enable/Disable SSL for this virtual host.

SSLEngine on

 

# SSL Cipher Suite:

# List the ciphers that the client is permitted to negotiate.

# See the mod_ssl documentation for a complete list.

#SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

 

# Server Certificate:

# Point SSLCertificateFile at a PEM encoded certificate. If

# the certificate is encrypted, then you will be prompted for a

# pass phrase. Note that a kill -HUP will prompt again. A test

# certificate can be generated with `make certificate' under

# built time. Keep in mind that if you've both a RSA and a DSA

# certificate you can configure both in parallel (to also allow

# the use of DSA ciphers, etc.)

SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt

#SSLCertificateFile /etc/httpd/conf/ssl.crt/server-dsa.crt

 

# Server Private Key:

# If the key is not combined with the certificate, use this

# directive to point at the key file. Keep in mind that if

# you've both a RSA and a DSA private key you can configure

# both in parallel (to also allow the use of DSA ciphers, etc.)

SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

#SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server-dsa.key

 

# Server Certificate Chain:

# Point SSLCertificateChainFile at a file containing the

# concatenation of PEM encoded CA certificates which form the

# certificate chain for the server certificate. Alternatively

# the referenced file can be the same as SSLCertificateFile

# when the CA certificates are directly appended to the server

# certificate for convinience.

#SSLCertificateChainFile /etc/httpd/conf/ssl.crt/ca.crt

 

# Certificate Authority (CA):

# Set the CA certificate verification path where to find CA

# certificates for client authentication or alternatively one

# huge file containing all of them (file must be PEM encoded)

# Note: Inside SSLCACertificatePath you need hash symlinks

# to point to the certificate files. Use the provided

# Makefile to update the hash symlinks after changes.

#SSLCACertificatePath /etc/httpd/conf/ssl.crt

#SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt

 

# Certificate Revocation Lists (CRL):

# Set the CA revocation path where to find CA CRLs for client

# authentication or alternatively one huge file containing all

# of them (file must be PEM encoded)

# Note: Inside SSLCARevocationPath you need hash symlinks

# to point to the certificate files. Use the provided

# Makefile to update the hash symlinks after changes.

#SSLCARevocationPath /etc/httpd/conf/ssl.crl

#SSLCARevocationFile /etc/httpd/conf/ssl.crl/ca-bundle.crl

# Client Authentication (Type):

# Client certificate verification type and depth. Types are

# none, optional, require and optional_no_ca. Depth is a

# number which specifies how deeply to verify the certificate

# issuer chain before deciding the certificate is not valid.

#SSLVerifyClient require

#SSLVerifyDepth 10

 

# Access Control:

# With SSLRequire you can do per-directory access control based

# on arbitrary complex boolean expressions containing server

# variable checks and other lookup directives. The syntax is a

# mixture between C and Perl. See the mod_ssl documentation

# for more details.

#<Location />

#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/

# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd."

# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}

# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5

# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 )

# or %{REMOTE_ADDR} =~ m/^192.76.162.[0-9]+$/

#</Location>

# SSL Engine Options:

# Set various options for the SSL engine.

# o FakeBasicAuth:

# Translate the client X.509 into a Basic Authorisation. This means that

# the standard Auth/DBMAuth methods can be used for access control. The

# user name is the `one line' version of the client's X.509 certificate.

# Note that no password is obtained from the user. Every entry in the user

# file needs this password: `xxj31ZMTZzkVA'.

# o ExportCertData:

# This exports two additional environment variables: SSL_CLIENT_CERT and

# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the

# server (always existing) and the client (only existing when client

# authentication is used). This can be used to import the certificates

# into CGI scripts.

# o StdEnvVars:

# This exports the standard SSL/TLS related `SSL_*' environment variables.

# Per default this exportation is switched off for performance reasons,

# because the extraction step is an expensive operation and is usually

# useless for serving static content. So one usually enables the

# exportation for CGI and SSI requests only.

# o CompatEnvVars:

# This exports obsolete environment variables for backward compatibility

# to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this

# to provide compatibility to existing CGI scripts.

# o StrictRequire:

# This denies access when "SSLRequireSSL" or "SSLRequire" applied even

# under a "Satisfy any" situation, i.e. when it applies access is denied

# and no other module can change it.

# o OptRenegotiate:

# This enables optimized SSL connection renegotiation handling when SSL

# directives are used in per-directory context.

#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire

<Files ~ ".(cgi|shtml)$">

SSLOptions +StdEnvVars

</Files>

<Directory "/var/www/cgi-bin">

SSLOptions +StdEnvVars

</Directory>

 

# Notice: Most problems of broken clients are also related to the HTTP

# keep-alive facility, so you usually additionally want to disable

# keep-alive for those clients, too. Use variable "nokeepalive" for this.

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

 

# Per-Server Logging:

# The home of a custom SSL log file. Use this when you want a

# compact non-error SSL logfile on a virtual host basis.

CustomLog /var/log/httpd/ssl_request_log

"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"

 

</VirtualHost>

 

</IfDefine>

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

# Virtual hosts

 

 

# Virtual host www.mysite.com

<VirtualHost >

DocumentRoot /myfolder/catalog

 

ServerAdmin webmaster@i-tct.com

ServerName _default_

 

 

 

DirectoryIndex default.php index.php index.html index.htm index.shtml

 

<Directory "/myfolder/catalog/">

AllowOverride none

 

 

 

</Directory>

 

 

 

 

 

 

 

 

 

 

 

 

 

 

LogLevel debug

HostNameLookups off

 

 

 

 

</VirtualHost>

 

 

 

 

# Directories...

 

<Directory "/">

Options FollowSymLinks

 

AllowOverride None

 

 

 

</Directory>

 

<Directory "/myfolder/catalog">

Options Indexes Includes FollowSymLinks

 

AllowOverride None

Allow from from all

 

 

Order Deny,Allow

</Directory>

 

<Directory "/var/www/icons">

Options Indexes MultiViews

 

AllowOverride None

Allow from from all

 

 

Order allow,deny

</Directory>

 

<Directory "/var/www/cgi-bin">

Options ExecCGI

 

AllowOverride None

Allow from from all

 

 

Order allow,deny

</Directory>

 

<Directory /myfolder/catalog/admin>

AuthType Basic

AuthName "Secure Area"

AuthUserFile /root/passwd

</Directory>

[burt]

Ok this is driving me crazy

 

I made .htaccess and placed in in admin.

the script is as follows

 

AuthName "Web Site Authentication"

AuthType Basic

AuthUserFile /root/htpasswd

require valid-user

 

It should be .htpasswd not htpasswd

[Guest]

I tried that too, but I will try agian

[Guest]

did not work, I have seen config files with and without the .

but niether works.

[burt]

URL? PM me if you wish.

[Guest]

PM is done

[Guest]

I tried that too, but I will try agian

 

Here are my files as they read:

 

ssl.conf (assuming will work the same in httpd.conf)

 

DocumentRoot /var/www/secure

ServerName shopwithme.ca

ServerAlias www.shopwithme.ca

ServerAdmin admin@internet-helpers.net

Options ExecCGI

ErrorLog logs/error_log

TransferLog logs/access_log

<Directory "/var/www/secure/admin">

deny from all

AllowOverride AuthConfig

Order deny,allow

</Directory>

 

and my .htaccess reads as the following:

 

cat .htaccess

AuthType Basic

AuthUserFile /etc/httpd/conf/.htpasswd

AuthName Shopwithme_Admin

require valid-user

satisfy any

 

And this has password protected my admin directories so it needs authentication to get into the system.

[Guest]

Oh My God,,, I tryed your settings and they did not work, but I took out the cat .htaccess and just added the satisfy any and wala

 

 

It is working.

 

I do not understand why there are somany ways to write these little scripte when they all do basically the same thing. I have tried it as seen about 5 different ways and yours finnaly worked.

 

the wierd thing is last time I did not have to do this, I just used the basics and it worked.

 

 

Sorry for all of the trouble guys and thanks for the answer RobG

[toolcrazy]

I know that some later installations of Apache have 2 .conf files. I know the ones that I've been dealing with in debian and mandrake is setup that way. I can't for the life of me remember what the name of the other file is. The last time I edited was a year ago when I set up my server. And it has been set up since, or at least until the power supply went bad. If you want I'll research it when I get home tonight.

[Guest]

Oh My God,,, I tryed your settings and they did not work, but I took out the cat .htaccess and just added the satisfy any and wala

 

 

It is working.

 

I do not understand why there are somany ways to write these little scripte when they all do basically the same thing. I have tried it as seen about 5 different ways and yours finnaly worked.  

 

the wierd thing is last time I did not have to do this, I just used the basics and it worked.

 

 

Sorry for all of the trouble guys and thanks for the answer RobG

 

No Problem :) .. the cat .htaccess is actually just a copy from my command line.. guess I grabbed a little too much there :)