1

Topic: Need to password protect Apache subdir

==== Required information ====
- iRedMail version: 0.8.7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: Ubuntu Server 14.04
- Related log if you're reporting an issue:
====

How can I password protect a subdir of an existing Apache dir? I'm asking here because I set up iRedMail on a fresh server install, so the rest of my web sites use that setup. My sites run just fine, but I really want to HTTP password protect subdirs of those sites. I've been all over the place looking for an answer with no luck. I've already tried a few configs, any of which should have worked but don't.

This is one config I tried:

<VirtualHost *:80>
    ServerAdmin (email)
    ServerName (domain).com
    ServerAlias www.(domain).com
    DocumentRoot /var/www/(dir)
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/(dir)/(subdir)>
        AuthType Basic
        AuthName "Authentication Required"
        AuthUserFile "/path/to/authfile"
        Require valid-user
        Order allow,deny
        Allow from all
</Directory>
</VirtualHost>

This results in seeing this in my browser:

Unauthorized

This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

The Apache error.log says

[Sun Jul 13 21:13:16.809158 2014] [:error] [pid 17914] No requires line available

I would appreciate any advice on why this is happening and how to fix it.

I also wouldn't mind making this work using mysql/dbd auth, if anyone can tell me what a working vhost config should look like.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Need to password protect Apache subdir

Does it work if you add one more directive:

AuthBasicProvider file

Or

audiodef wrote:

        Require valid-user
        Order allow,deny
        Allow from all

Does it work if you remove last 2 lines in above snippet?

3

Re: Need to password protect Apache subdir

Thanks for your reply! Neither of those suggestions work. I've read that Ubuntu Server 14.04 broke something with http auth because it uses Apache 2.4 instead of 2.2. I'm starting to wonder if I was wrong to install 14.04, but I REALLY don't want to have to rebuild my server, because I did that recently already.

4

Re: Need to password protect Apache subdir

It should work if you have Apache module "access_compat" enabled, as far as i know, it's enabled on Ubuntu 14.04 by default.

# a2enmod access_compat

After enabled this module, you ACL should work as expected.

Another reference: http://blog.hqcodeshop.fi/archives/63-M … e-2.4.html

5

Re: Need to password protect Apache subdir

access_compat is enabled. I tried some advice from here, but continued to get the same error, or got no auth prompt at all in the case of using Require all granted or <Location>. Adding a <proxy> clause just caused Apache to throw an error on restart.

Maybe I should just downgrade to Apache 2.2?

6

Re: Need to password protect Apache subdir

They're probably going to shoot it down (they almost always do), but I reported this as a bug to Ubuntu. It seems appropriate, especially considering that my config appears correct and yet it doesn't work.

7

Re: Need to password protect Apache subdir

I just found this: https://wiki.apache.org/httpd/PasswordBasicAuth

And I still get the same error.

I've made a terrible mistake using Ubuntu. I should have gone with CentOS or Debian. I actually prefer Gentoo, but I wasn't able to install iRedMail on Gentoo - apt-get is not a Gentoo command.

8

Re: Need to password protect Apache subdir

It works for me here with below setting in default VirtualHost:

<Directory /var/www/html/abc/def>
        AuthType Basic
        AuthName "Authentication Required"
        AuthUserFile "/etc/test-auth-file"
        Require valid-user
        Order allow,deny
        Allow from all
</Directory>

9

Re: Need to password protect Apache subdir

If I put that in 000-default.conf, nothing at all happens. If I put that in my site's vhost conf, I get the error I described.

I submitted a bug report to Ubuntu, but I can't tell if they're taking it seriously.

10

Re: Need to password protect Apache subdir

No idea yet, it works for me with pasted code. I suggest you setup a new VM without adding new virtualhost in Apache, just test password protection. make it simple.