Question posted in 
I use Apache2 to intervene between my site and the User with an Authentication Login dialogue. I’ve added a hashed password to the Apache2 .htaccess file. The Site has a registered subdomain, and the web server has a set of SSL certs and keys. However, when a User tries to access the site and they are presented with the Username & Password box, the username and password are not accepted. I would appreciate some help.
I create a Username and Password for the site authentication using:
sudo htpasswd -c /etc/apache2/.htpasswd
I can see a hashed version of the password in that file.
Then, these are my Apache2 server configuration files:
/etc/apache2/sites-available/my-site.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName my-site.com
ServerAlias subdomain.my-site.com
DocumentRoot /var/www/my-site/public_html
<Directory /var/www/my-site/public_html>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
<Location "/">
AuthType Digest
AuthName "Restricted Area"
AuthDigestDomain /
AuthDigestProvider file
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Location>
SSLCertificateFile /etc/letsencrypt/live/subdomain.my-site.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/subdomain.my-site.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
And the main apache config file /etc/apache2/apache.conf
DefaultRuntimeDir ${APACHE_RUN_DIR}
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
HostnameLookups Off
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
AccessFileName .htaccess
#<FilesMatch "^.ht">
# Require all denied
#</FilesMatch>
LogFormat "%v:%p %h %l %u %t "%r" %>s %O "%{Referer}i" "%{User-Agent}i"" vhost_combined
LogFormat "%h %l %u %t "%r" %>s %O "%{Referer}i" "%{User-Agent}i"" combined
LogFormat "%h %l %u %t "%r" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf
Include /etc/apache2/httpd.conf
My /etc/apache/httpd.conf file is empty, and I do not have a .htaccess file.
I’ve cleared the cache, used private browsers, and I’ve asked others to try, but ultimately the password and username I set don’t work.
Please tell me if I’m missing data for you to help. I’m happy to edit the question. Thanks
Edit
I noticed the following:
<FilesMatch "^.ht">
Require all denied
</FilesMatch>
I commented it out, restarted the server, and tried again in a fresh private browser. No luck.
2
Answers
I figured it out. Because I'm using digest authentication I should be generating usernames and passwords using e.g.
I then had to adjust my <Location "/"> directive in my .conf file, to consider this change e.g.,
You have inconsistent file names for the password file (the htpasswd commands misses a
/).htpasswd command:
my-site.conf:
The first command creates a file
/etc/apache2.htpasswdthe config expects the file/etc/apache2/.htpasswd(extra/)