[techtalk] .htaccess problem

[Almut Behrens]

On Sat, May 26, 2001 at 01:07:47AM -0700, terry wrote:
> Almut Behrens wrote:
> > ... not meant to be a RTFM (M = message, here ;), but what's the
> > error_log saying?
> 
> It says:
>  /usr/local/httpd/htdocs/.htaccess: AuthName not allowed here

hmm, this is strange -- I thought you had "AllowOverride AuthConfig"
specified for that directory.
Well, let me know if you want to use the .htaccess file mode. Then we
can take another look at that issue. Else, I think we should leave it
as it is for the time being...

> > (1) are you sure you really want an .htaccess file here -- putting the
> > respective auth-directives in <Directory> would work too. Does
> > the access/authentication need to be run-time configurable?
> > (This is a performance aspect only -- things do work with .htaccess
> > equally)
> 
> I'm not sure I understand - do you mean:
> --------------------
> <Directory "/usr/local/httpd/htdocs">
> 
> AuthName "Page page"
> 
> AuthType Basic
> AuthUserFile /home/ev/public_html/.htpassword
> order allow,deny
> Allow from all
> 
> require valid-user
> satisfy any

Exactly. The problem is the "satisfy ANY" -- if you have "Allow from all"
you need "satisfy all", otherwise access will be granted via host based
access control, which is always true when it's "from all"...

> > (2) -- cut 'n pasted from the manual:
> > "Security: make sure that the AuthUserFile is stored outside the
> > document tree of the web-server; do not put it in the directory that it
> > protects. Otherwise, clients will be able to download the AuthUserFile."
> > (reason is the same that shadow passwords were invented for *nix)
> 
> Config file says the following, but yes, I meant to move it
> once I got it working - I wanted to be sure it was finding the file.
> Got a little frustrated and started trying random stuff, I guess.

no need to justify yourself :) -- not a big issue anyway.
I didn't intend to make you look stupid. And sorry, if it sounded
a bit snooty.

- Almut