[C.J. Moof]

I'm trying to set up simple .htaccess authentication to a webpage on my Xserve. I've created a .htaccess file and configured it, and made the password hashes via the htpasswd command, yet I never get asked for a user/pass pair when I hit this directory- it always loads right up. I've done the exact same steps on my linux server, and it does exactly what I expect it to- display a user/pass dialog.

It seems as if somewhere Apache is configured to disregard a directory's .htaccess file. Is this possible, and if so, where do I tell it to stop doing that?

[Rainy Day]

There is indeed an Apache configuration directive to enable/disable .htaccess files. Not sure what it is offhand, however. It may very well default to off, which would make sense as .htaccess adds considerable overhead to Apache and slows it down.

I don't think there's anything which can be done in an .htaccess file which can't be done in a configuration file. So unless you have "users" on your system who need .htaccess control and whom you don't trust to have access to configuration files (configuration files allow greater control over the server than what .htaccess permits), you're better off leaving .htaccess disabled and using your local configuration file instead.

Under MacOS X, leave the main Apache configuration file /etc/httpd/httpd.conf alone. Apple provides you with your own configuration file in /etc/httpd/users/. Anything in these local configuration files load after the main file, and can therefore override it. And changes you make won't go away if a MacOS X update comes along which replaces the main configuration file. This is not uncommon, btw!

Important safety tip: Please note that any file in this directory is parsed by Apache on startup, so don't put any files in it you don't want parsed (e.g. backup copies of a configuration file you're playing with).

The drawback to using the configuration file approach is that you need to restart Apache after making changes; not the case with .htaccess. That's also the reason why this approach creates less overhead for Apache.

[C.J. Moof]

So you're saying I should whip up my own config file at /etc/httpd/users/httpd.conf , with it's own instructions regarding the acceptable user/pass pairs for the directory I want to protect?

There are no user web accounts on this box, it's a file server and development web server. I keep a phpbb forum that I use as a data depository at www.webpage.com/forum, and while it requires user/pass pairs to participate in it, I don't even want strangers just stumbling upon it to see the categories- hence the desire for .htaccess user/pass requirement.

[Rainy Day]

Originally posted by C.J. Moof:
So you're saying I should whip up my own config file at /etc/httpd/users/httpd.conf , with it's own instructions regarding the acceptable user/pass pairs for the directory I want to protect?

Well, i'd give the file a different name, just so it's not confused with the main httpd.conf file, but yes. You'll probably already have a username.conf file in the directory. Since it doesn't matter what the files are named (i.e. since they are all included by the main configuration file), nor how many you have, i'd name them by their function. For example, a file which controls access i might name access.conf, whereas a file setting up virtual hosts i might name virtual_hosts.conf.

Apache has very good on-line documentation (a copy of which is on your computer already) and each configuration directive is well documented (including where it may be used). You'll need to wrap your access control commands (from your non-functioning .htaccess file) inside a <directory> block. Other than that, it's pretty much the same stuff.

[C.J. Moof]

Garrrgh. This is frustrating- doubly so b/c I did this in 5 minutes on RedHat. Okay- so first I make my /etc/httpd/users/access.conf file:

Code:
<Directory /Library/WebServer/Documents/test>
AllowOverride All
AuthUserFile /Library/WebServer/Documents/test/.htpasswd
AuthGroupFile /dev/null
AuthName "The Secret Page"
AuthType Basic

<Limit GET POST>
require valid-user
</Limit>
</Directory>

and within /Library/WebServer/Documents/test/.htpasswd there's the username I entered and it's hash.

Do apachectl stop and start to bring it up. Hit the webpage, it loads up my little placeholder index.html file, and I never get asked for authentication. I don't get it.

[Rainy Day]

Hmmm, three possible issues here:[list=1][*]First, my comments above are true for MacOS X client; not sure if things are exactly the same if you're using MacOS X Server. Some directories may be different (e.g. /etc/httpd/users/).

If you're using server, you might want to verify your newly created access.conf file is indeed being read. One way to do that is put in a bogus directive; that should cause Apache to choke on startup.

If you're using regular ol' MacOS X (client), then ignore this item.
[*]The path /Library/WebServer/Documents/test looks wrong to me, at least for MacOS X client, so unless you're running MacOS X Server, or unless you've rearranged things elsewhere in the configuration file, this could be the problem.

In MacOS X client, usually web pages are served out of ~/Sites/
[*]Be sure to move your browser to a different page and clear out its cache before testing![/list=1]

[Rainy Day]

Actually, regarding item #1 above, if you do a tail /etc/httpd/httpd.conf you should see a line like this (typically the very last line):

Code:
Include /private/etc/httpd/users

That's what includes all the files in the /etc/httpd/users directory. That'll tell you if the directory is correct or not.

[C.J. Moof]

Originally posted by Rainy Day:
Hmmm, three possible issues here:[list=1][*]First, my comments above are true for MacOS X client; not sure if things are exactly the same if you're using MacOS X Server. Some directories may be different (e.g. /etc/httpd/users/).

If you're using server, you might want to verify your newly created access.conf file is indeed being read. One way to do that is put in a bogus directive; that should cause Apache to choke on startup.

If you're using regular ol' MacOS X (client), then ignore this item.
[*]The path /Library/WebServer/Documents/test looks wrong to me, at least for MacOS X client, so unless you're running MacOS X Server, or unless you've rearranged things elsewhere in the configuration file, this could be the problem.

In MacOS X client, usually web pages are served out of ~/Sites/
[*]Be sure to move your browser to a different page and clear out its cache before testing![/list=1]

1) It is OS X server. I tried putting a garbage entry in my access.conf, and it didn't complain about it... makes me think it never saw it. The /etc/httpd/users/ directory was there before I made access.conf, it was just empty.

2) /Library/WebServer/Documents is OS X server's default home for webpages.

3) Caches cleared, multiple browsers on multiple computers hitting it... never throws out the user/pass request.

My tail on httpd.conf doesn't show the include.

<time passes>

FOUND IT!

On OS X server, it seems the intelligent way to get this done is to use Realms. You use the Server Settings app, go to Internet, and configure Web. Open the host you want to edit, use the Access tab, then drag in users from the Workgroup Manager. They can log in with their server account credentials.

Thanks for your time poking around this with me, Rain. (I can call ya rain for short, right? )

[Rainy Day]

Originally posted by C.J. Moof:
My tail on httpd.conf doesn't show the include.

In retrospect, i should have suggested grep -i ^include /etc/httpd/httpd.conf, just in case it's elsewhere in the file.

But that's moot now. Glad you figured it out!

Thanks for your time poking around this with me, Rain.

You're welcome!

(I can call ya rain for short, right? )

Well, i suppose we know each other well enough now.