Directory Restricted Access and .htaccess file

Discussion in 'Install/Configuration' started by SAngeli, May 27, 2012.

  1. SAngeli

    SAngeli New Member

    Hi,
    I am hosted on Linux OS (Apache and LiteSpeed web services).
    DirectAdmin is the management interface for setting up my websites.
    I asked to password protect access to a specific directory for web access and indeed it works. I also asked to be able to customize website error code output and was told to edit .htaccess file.
    End result, I was told by tech support the followings:

    "It seems the password protection rules and customizing 401 error codes don't work together.
    ...see how to get both the functions working together... customizing the .htaccess rules..."


    This is what is used (retreaved from DirectAdmin system info):
    Apache 2.2.17
    DirectAdmin 1.37.0
    Php 5.2.17

    and from the website, when I simulate an error: "Powered By LiteSpeed Web Server"

    Can someone please help me?

    Thank you,
    Spiro
  2. webizen

    webizen New Member

    you can post the snippet of .htaccess here. we will take a look.
  3. SAngeli

    SAngeli New Member

    Hello and thank you for your reply.

    Originally, when I assigned, via DA File Manager, Directory restriction the content of ".htaccess" file was:

    Code:
    AuthGroupFile /dev/null
    AuthType Basic
    AuthUserFile /home/sangeli/domains/surf.com/.htpasswd/public_html/test/.htpasswd
    AuthName "Test Directory"
    require valid-user
    Restriction was working properly but at logon if I was hitting Escape or not properly validating I was getting error code "401" but did not like the fact that was not customiezed. So I asked how to point to proper custom error code for 401.shtml 403.shtml 404.shtml 500.shtml files.
    So, I was advised to add on the first line of ".htaccess" file the following:

    Code:
    ErrorDocument 401 http://surf.com/401.shtml
    This way, the directory password restricted area did not work anylonger and I was getting immediately this error 401 webpage.

    What I wish to do is being able to password protect a directory and custom make those error code webpages "xxx.shtml".

    I wish to know how to do so, where to place those error shtml files and if is there anything else reccomeded in order to properly customize this ".htaccess" file

    Lastly, if possible, can you please refer me to a correct documentation on the web, I do not know if it has to be LiteSpeed specific, so I can additionally read and learn?

    Thank you so much for your help,
    Spiro
  4. webizen

    webizen New Member

    http://httpd.apache.org/docs/2.0/mod/core.html#errordocument

  5. SAngeli

    SAngeli New Member

    Hi and thank you for your link.

    I did some testings and was able to get it to work.
    I noticed that whenever I use http://www.... it automatically redirects to a URL e does not allow the error to manifest.
    So, if I would type
    Code:
    ErrorDocument 401 http://www.google.it 
    when trying to access this website with restricted access, rather than popping up the validation Username and Password it goes automatically to the link.
    The info in the docs you provided me with instead states that I can use something like in their example (ErrorDocument 500 http://foo.example.com/cgi-bin/tester) but why such behavior rather than prompting me for user credentials?

    Those ErrorDocumnt statements should be all the way at the top of the file .htaccess or can they be anywhere?

    Also, do you know if .htaccess is a file that robots, spiders, web crawlers can read or access? This question is for security purpose.

    One last question: Is there a way to limit the amount of times a use can re-try to input Username and Password (when the credentials is wrong) beofre the system does not allow it again and if it insists it will block it for a while?

    Thank you,
    Spiro
  6. webizen

    webizen New Member

    Please refer to the same section:
    Note that when you specify an ErrorDocument that points to a remote URL (ie. anything with a method such as http in front of it), Apache will send a redirect to the client to tell it where to find the document, even if the document ends up being on the same server. This has several implications, the most important being that the client will not receive the original error status code, but instead will receive a redirect status code.

    Doesn't matter where it is placed in .htaccess. Behavior will not change.

    You use robots.txt and place it under DocRoot.

    This usually should be done by something outside of LSWS such as your application or security measure (firewall, etc).
  7. SAngeli

    SAngeli New Member

    Hello,

    I thank you for all the explanations.
    Despite the answer kindly provided regarding the ErrorDocumet I find difficulties in properly understanding why the http:// does not work.
    When I write in .htaccess the following line "ErrorDocument 401 http://surf.com/401.shtml" the system should redirect to that URL only if the error 401 orrurs.
    In my case, when I type http://www.site.com/test and hit enter, the web browser points to this website, and it redirects immediately to the URL rather than asking me for username and password.
    This is the exact part that I do not understand and wish to ask again for help.

    If the ErrorDocument kicks in only when the error occurs it should not matter, regardless of the tecnicalities, but this is not the way the server behaves.

    Why when I do not use a http:// I am able to get the username and password windows prompted and when instead I do use the http:// not?

    This is what I wish to solve.

    I tried to ask in IRC at Apache channel for support and they were able to note that the website is immediately redirecting to another url but they are unable to support me because I am not using Apache.

    Thank you,
    Spiro




    You use robots.txt and place it under DocRoot.
  8. webizen

    webizen New Member

    This behavior (redirect instead of asking user/passwd for remote URL) is not a problem but how Apache handles this type situation. Litespeed just follows Apache (drop-in replacement). You should install Apache and request an authoritative answer from Apache as why they decide to do that.

    You should use local document for 401 to let web server pop up user/password as Apache document suggests.
    Last edited: May 30, 2012
  9. SAngeli

    SAngeli New Member

    Hello,

    I will not be able to install Apache as am not capable of doing so at this time.

    All I need to know, if it is possible, from your end is the followings:
    If you password protect a directory, and then you add the "ErrorDocument 401 http://www.google.it" code than you try to access your link can you replicate this issue? Will you be redirected or just properly asked for credentials?

    Once you confirm me that you are able to replicate my same issue I will try to ask proper Apache forum or support.
    This is all I can do. All this in order to understand why this happens.
    As for my I will definitely use local document for 401.
    I only wish to understand and complete what I started researching.

    Thank you,
    Spiro
  10. webizen

    webizen New Member

    our test shows Apache ignores url and pop up login prompt.

    [Fri Jun 01 16:31:44 2012] [notice] cannot use a full URL in a 401 ErrorDocument directive --- ignoring!

    LSWS just redirects to target URL for 401 errordocument.

    if use local 401 errordocument, both behave the same (pop up login prompt).
  11. SAngeli

    SAngeli New Member

    Hello,

    I thank you very much for the time taken in assisting me.
    I now have all the answers I needed.

    Thank you again,
    Spiro
  12. mistwang

    mistwang LiteSpeed Staff

    Please upgrade to latest 4.1.13 build, Apache behavior has been followed now.
    from command line do:

    /usr/local/lsws/admin/misc/lsup.sh 4.1.13

Share This Page