Directory Restricted Access and .htaccess file

[SAngeli]

Hi,
I am hosted on Linux OS (Apache and LiteSpeed web services).
DirectAdmin is the management interface for setting up my websites.
I asked to password protect access to a specific directory for web access and indeed it works. I also asked to be able to customize website error code output and was told to edit .htaccess file.
End result, I was told by tech support the followings:

"It seems the password protection rules and customizing 401 error codes don't work together.
...see how to get both the functions working together... customizing the .htaccess rules..."


This is what is used (retreaved from DirectAdmin system info):
Apache 2.2.17
DirectAdmin 1.37.0
Php 5.2.17

and from the website, when I simulate an error: "Powered By LiteSpeed Web Server"

Can someone please help me?

Thank you,
Spiro

 

[webizen]

you can post the snippet of .htaccess here. we will take a look.

 

[SAngeli]

Hello and thank you for your reply.

Originally, when I assigned, via DA File Manager, Directory restriction the content of ".htaccess" file was:

AuthGroupFile /dev/null
AuthType Basic
AuthUserFile /home/sangeli/domains/surf.com/.htpasswd/public_html/test/.htpasswd
AuthName "Test Directory"
require valid-user

Restriction was working properly but at logon if I was hitting Escape or not properly validating I was getting error code "401" but did not like the fact that was not customiezed. So I asked how to point to proper custom error code for 401.shtml 403.shtml 404.shtml 500.shtml files.
So, I was advised to add on the first line of ".htaccess" file the following:

ErrorDocument 401 http://surf.com/401.shtml

This way, the directory password restricted area did not work anylonger and I was getting immediately this error 401 webpage.

What I wish to do is being able to password protect a directory and custom make those error code webpages "xxx.shtml".

I wish to know how to do so, where to place those error shtml files and if is there anything else reccomeded in order to properly customize this ".htaccess" file

Lastly, if possible, can you please refer me to a correct documentation on the web, I do not know if it has to be LiteSpeed specific, so I can additionally read and learn?

Thank you so much for your help,
Spiro

 

[webizen]

http://httpd.apache.org/docs/2.0/mod/core.html#errordocument

Note that when you specify an ErrorDocument that points to a remote URL (ie. anything with a method such as http in front of it), Apache will send a redirect to the client to tell it where to find the document, even if the document ends up being on the same server. This has several implications, the most important being that the client will not receive the original error status code, but instead will receive a redirect status code. This in turn can confuse web robots and other clients which try to determine if a URL is valid using the status code. In addition, if you use a remote URL in an ErrorDocument 401, the client will not know to prompt the user for a password since it will not receive the 401 status code. Therefore, if you use an ErrorDocument 401 directive then it must refer to a local document.

 

[SAngeli]

Hi and thank you for your link.

I did some testings and was able to get it to work.
I noticed that whenever I use http://www.... it automatically redirects to a URL e does not allow the error to manifest.
So, if I would type

ErrorDocument 401 http://www.google.it

when trying to access this website with restricted access, rather than popping up the validation Username and Password it goes automatically to the link.
The info in the docs you provided me with instead states that I can use something like in their example (ErrorDocument 500 http://foo.example.com/cgi-bin/tester) but why such behavior rather than prompting me for user credentials?

Those ErrorDocumnt statements should be all the way at the top of the file .htaccess or can they be anywhere?

Also, do you know if .htaccess is a file that robots, spiders, web crawlers can read or access? This question is for security purpose.

One last question: Is there a way to limit the amount of times a use can re-try to input Username and Password (when the credentials is wrong) beofre the system does not allow it again and if it insists it will block it for a while?

Thank you,
Spiro

 

[webizen]

... but why such behavior rather than prompting me for user credentials?

Please refer to the same section:
Note that when you specify an ErrorDocument that points to a remote URL (ie. anything with a method such as http in front of it), Apache will send a redirect to the client to tell it where to find the document, even if the document ends up being on the same server. This has several implications, the most important being that the client will not receive the original error status code, but instead will receive a redirect status code.

Those ErrorDocumnt statements should be all the way at the top of the file .htaccess or can they be anywhere?

Doesn't matter where it is placed in .htaccess. Behavior will not change.

Also, do you know if .htaccess is a file that robots, spiders, web crawlers can read or access? This question is for security purpose.

You use robots.txt and place it under DocRoot.

One last question: Is there a way to limit the amount of times a use can re-try to input Username and Password (when the credentials is wrong) beofre the system does not allow it again and if it insists it will block it for a while?
...

This usually should be done by something outside of LSWS such as your application or security measure (firewall, etc).

 

[SAngeli]

Hello,

I thank you for all the explanations.
Despite the answer kindly provided regarding the ErrorDocumet I find difficulties in properly understanding why the http:// does not work.
When I write in .htaccess the following line "ErrorDocument 401 http://surf.com/401.shtml" the system should redirect to that URL only if the error 401 orrurs.
In my case, when I type http://www.site.com/test and hit enter, the web browser points to this website, and it redirects immediately to the URL rather than asking me for username and password.
This is the exact part that I do not understand and wish to ask again for help.

If the ErrorDocument kicks in only when the error occurs it should not matter, regardless of the tecnicalities, but this is not the way the server behaves.

Why when I do not use a http:// I am able to get the username and password windows prompted and when instead I do use the http:// not?

This is what I wish to solve.

I tried to ask in IRC at Apache channel for support and they were able to note that the website is immediately redirecting to another url but they are unable to support me because I am not using Apache.

Thank you,
Spiro




You use robots.txt and place it under DocRoot.

 

[webizen]

This behavior (redirect instead of asking user/passwd for remote URL) is not a problem but how Apache handles this type situation. Litespeed just follows Apache (drop-in replacement). You should install Apache and request an authoritative answer from Apache as why they decide to do that.

You should use local document for 401 to let web server pop up user/password as Apache document suggests.

 

[SAngeli]

Hello,

I will not be able to install Apache as am not capable of doing so at this time.

All I need to know, if it is possible, from your end is the followings:
If you password protect a directory, and then you add the "ErrorDocument 401 http://www.google.it" code than you try to access your link can you replicate this issue? Will you be redirected or just properly asked for credentials?

Once you confirm me that you are able to replicate my same issue I will try to ask proper Apache forum or support.
This is all I can do. All this in order to understand why this happens.
As for my I will definitely use local document for 401.
I only wish to understand and complete what I started researching.

Thank you,
Spiro

 

[webizen]

our test shows Apache ignores url and pop up login prompt.

[Fri Jun 01 16:31:44 2012] [notice] cannot use a full URL in a 401 ErrorDocument directive --- ignoring!

LSWS just redirects to target URL for 401 errordocument.

if use local 401 errordocument, both behave the same (pop up login prompt).

 

[SAngeli]

Hello,

I thank you very much for the time taken in assisting me.
I now have all the answers I needed.

Thank you again,
Spiro

 

[mistwang]

Please upgrade to latest 4.1.13 build, Apache behavior has been followed now.
from command line do:

/usr/local/lsws/admin/misc/lsup.sh 4.1.13