I have a .htaccess that uses basic authentication. It seems the path to the .htpasswd file isn't relative to the htaccess file, but instead to the server config.
So even though I have the .htaccess and .htpasswd files in the same directory, this doesn't work:
AuthType Basic
AuthName "Private Login"
AuthUserFile .htpasswd
Require valid-user
However, it does work if I change the AuthUserFile to use the absolute path:
AuthType Basic
AuthName "Private Login"
AuthUserFile "/home/user/public_html/mydir/.htpasswd"
Require valid-user
But I would prefer something more mobile as I use this on multiple sites in different areas. I've searched the web but haven't had any resolution. Is it possible to use relative path or variables like %{DOCUMENT_ROOT}?
The answer is
It is not possible to use relative paths for AuthUserFile:
File-path is the path to the user file. If it is not absolute (i.e., if it doesn't begin with a slash), it is treated as relative to the
ServerRoot.
You have to accept and work around that limitation.
We're using IfDefine together with an apache2 command line parameter:
.htaccess (suitable for both development and live systems):
<IfDefine !development>
AuthType Basic
AuthName "Say the secret word"
AuthUserFile /var/www/hostname/.htpasswd
Require valid-user
</IfDefine>
Development server configuration (Debian)
Append the following to /etc/apache2/envvars:
export APACHE_ARGUMENTS=-Ddevelopment
Restart your apache afterwards and you'll get a password prompt only when you're not on the development server.
You can of course add another IfDefine for the development server, just copy the block and remove the !.
I know this is an old question, but I just searched for the same thing and probably there are many others searching for a quick, mobile solution. Here is what I finally come up with:
# We set production environment by default
SetEnv PROD_ENV 1
<IfDefine DEV_ENV>
# If 'DEV_ENV' has been defined, then unset the PROD_ENV
UnsetEnv PROD_ENV
AuthType Basic
AuthName "Protected Area"
AuthUserFile /var/www/foo.local/.htpasswd
Require valid-user
</IfDefine>
<IfDefine PROD_ENV>
AuthType Basic
AuthName "Protected Area"
AuthUserFile /home/foo/public_html/.htpasswd
Require valid-user
</IfDefine>
or if you develop on localhost (only for apache 2.4+):
<If "%{REMOTE_ADDR} != '127.0.0.1'">
</If>
If you are trying to use XAMPP with Windows and want to use an .htaccess file on a live server and also develop on a XAMPP development machine the following works great!
1) After a fresh install of XAMPP make sure that Apache is installed as a service.
- This is done by opening up the XAMPP Control Panel and clicking on the little red "X" to the left of the Apache module.
- It will then ask you if you want to install Apache as a service.
- Then it should turn to a green check mark.
2) When Apache is installed as a service add a new environment variable as a flag.
- First stop the Apache service from the XAMPP Control Panel.
- Next open a command prompt. (You know the little black window the simulates DOS)
- Type "C:\Program Files (x86)\xampp\apache\bin\httpd.exe" -D "DEV" -k config.
- This will append a new DEV flag to the environment variables that you can use later.
3) Start Apache
- Open back up the XAMPP Control Panel and start the Apache service.
4) Create your .htaccess file with the following information...
<IfDefine DEV>
AuthType Basic
AuthName "Authorized access only!"
AuthUserFile "/sandbox/web/scripts/.htpasswd"
require valid-user
</IfDefine>
<IfDefine !DEV>
AuthType Basic
AuthName "Authorized access only!"
AuthUserFile "/home/arvo/public_html/scripts/.htpasswd"
require valid-user
</IfDefine>
To explain the above script here are a few notes...
- My AuthUserFile is based on my setup and personal preferences.
- I have a local test dev box that has my webpage located at c:\sandbox\web\. Inside that folder I have a folder called scripts that contains the password file .htpasswd.
- The first entry IfDefine DEV is used for that instance. If DEV is set (which is what we did above, only on the dev machine of coarse) then it will use that entry.
- And in turn if using the live server IfDefine !DEV will be used.
5) Create your password file (in this case named .htpasswd) with the following information...
user:$apr1$EPuSBcwO$/KtqDUttQMNUa5lGXSOzk.
A few things to note...
- Your password file can be any name you want.
- You should use .htpasswd for security.
- A great password generator found @ http://www.htaccesstools.com/htpasswd-generator/
- A great explanation and reason why you should use that name for your file is located @ http://www.htaccesstools.com/articles/htpasswd/
- MAKE SURE YOU PUT THE PASSWORD FILE IN THE CORRECT LOCATION!!! (See step 4 AuthUserFile area)
.htpasswd requires full absolute path from the absolute root of the server.
Please get full absolute path of the file by echo echo $_SERVER['DOCUMENT_ROOT'];.
here is working basic auth .htaccess script.
AuthType Basic
AuthName "Access to the Hidden Files"
AuthUserFile 'C:/xampp/htdocs/ht/.htpasswd'
Require valid-user
Before login
Afetr Login
1) Note that it is considered insecure to have the .htpasswd file below the server root.
2) The docs say this about relative paths, so it looks you're out of luck:
File-path is the path to the user file. If it is not absolute (i.e., if it doesn't begin with a slash), it is treated as relative to the ServerRoot.
3) While the answers recommending the use of environment variables work perfectly fine, I would prefer to put a placeholder in the .htaccess file, or have different versions in my codebase, and have the deployment process set it all up (i. e. replace placeholders or rename / move the appropriate file).
On Java projects, I use Maven to do this type of work, on, say, PHP projects, I like to have a build.sh and / or install.sh shell script that tunes the deployed files to their environment. This decouples your codebase from the specifics of its target environment (i. e. its environment variables and configuration parameters). In general, the application should adapt to the environment, if you do it the other way around, you might run into problems once the environment also has to cater for different applications, or for completely unrelated, system-specific requirements.
For just in case people are looking for solution for this:
<If "req('Host') = 'www.example.com'">
Authtype Basic
AuthName "user and password"
AuthUserFile /var/www/www.example.com/.htpasswd
Require valid-user
</If>
you may put your Auth settings into a Environment. Like:
SetEnvIf HTTP_HOST testsite.local APPLICATION_ENV=development
<IfDefine !APPLICATION_ENV>
Allow from all
AuthType Basic
AuthName "My Testseite - Login"
AuthUserFile /Users/tho/htdocs/wgh_staging/.htpasswd
Require user username
</IfDefine>
The Auth is working, but I couldn't get my environment really running.
Let's take an example.
Your application is located in /var/www/myApp on some Linux server
.htaccess : /var/www/myApp/.htaccess
htpasswdApp : /var/www/myApp/htpasswdApp. (You're free to use any name for .htpasswd file)
To use relative path in .htaccess:
AuthType Digest
AuthName myApp
AuthUserFile "htpasswdApp"
Require valid-user
But it will search for file in server_root directory. Not in document_root.
In out case, when application is located at /var/www/myApp :
document_root is /var/www/myApp
server_root is /etc/apache2 //(just in our example, because of we using the linux server)
You can redefine it in your apache configuration file ( /etc/apache2/apache2.conf), but I guess it's a bad idea.
So to use relative file path in your /var/www/myApp/.htaccess you should define the password's file in your server_root.
I prefer to do it by follow command:
sudo ln -s /var/www/myApp/htpasswdApp /etc/apache2/htpasswdApp
You're free to copy my command, use a hard link instead of symbol,or copy a file to your server_root.
Source: Stackoverflow.com