1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 11:39 pm May 1, 2026

Forum Moderators: phranque

Message Too Old, No Replies

.htaccess complexity server error

         

rodneytoady

4:51 pm on Mar 20, 2011 (gmt 0)

10+ Year Member



In the following examples, all paths to .htpasswd files are correct for my local windows Xampp testing server. They are altered to suit the live (shared hosting LAMP) environment before upload. The behaviors described below apply in both environments.

This is in my .htaccess file at web site root level. It's intended to prevent access to any file at all except index.php. It seems to do what I want, the site works fine. 


DirectoryIndex index.php

deny from all
<FilesMatch "^(index\.php)?$">
order allow,deny
allow from all
</FilesMatch>


I am required to make available numerous dedicated directories for our graphics department to ftp up large art files and give out passwords to various sub-contractors so they can download them (sparing our corporate email bandwidth). Sub-contractors should not be able to see any other sub-contractors directory, nor guess the identity of other sub-contractors by seeing directory names. I have created a single directory "graphics" and all individual sub-contractor directories live there. Here is the .htaccess file for "graphics". It countermands the root level .htaccess above, allowing Indexing and all types of files to be served from "graphics" and child directories. Creating a required valid user with a strong password prevents any sub-contractors from seeing the directory index. 

allow from all

AuthType Basic
AuthName "graphics"
AuthUserFile "C:/xampp/htdocs/.htpasswds/public_html/graphics/passwd"
require valid-user

Options +Indexes ##apply to all child directories
IndexOptions -FancyIndexing ##apply to all child directories



Here is a typical .htaccess file from a sub-contractor's directory (in this case "Candy") 


AuthType Basic
AuthName "candy"
AuthUserFile "C:/xampp/htdocs/.htpasswds/public_html/graphics/candy/passwd"
require valid-user


When I go to the directory "graphics/candy" I'm asked to supply my authentication. I supply a known good user name and password for candy and get the following error: 


Server error!

The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there was an error in a CGI script.

If you think this is a server error, please contact the webmaster.
Error 500
exampleurl
20/03/2011 7:53:03 AM
Apache/2.2.12 (Win32) DAV/2 mod_ssl/2.2.12 OpenSSL/0.9.8k mod_autoindex_color PHP/5.3.0 mod_perl/2.0.4 Perl/v5.10.0


I've spent many hours trying to work out a way around this, as soon as I remove the "candy" directory htaccess file, it's OK (but insecure, of course). And yet, there seems to be nothing wrong with the "candy" htaccess file. Can anyone assist?

g1smd

5:12 pm on Mar 20, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



It's a while since I last set up this type of authorisation, but I don't think you need the C: at the beginning of the authorisation file path, nor maybe the first couple of folder levels. The reference should probably begin at the web root.

rodneytoady

8:39 pm on Mar 20, 2011 (gmt 0)

10+ Year Member



Temporary solution found:

I have altered the htaccess file at web root by adding the following: 

Options -Indexes

I have entirely removed the htaccess file at "graphics".


Then I altered the htaccess file at "candy" as follows: 

allow from all

AuthType Basic
AuthName "candy"
AuthUserFile "C:/xampp/htdocs/.htpasswds/public_html/graphics/candy/passwd"
require valid-user

Options +Indexes
IndexOptions -FancyIndexing


Now "candy" can login to her directory and view a listing of files available to her. However, if she clicks on the "Parent Directory" link, she gets an directory listing denied message, satisfying the requirement that she should not be able to see the names or contents of other sub-contractors directories. Furthermore, if "candy" is authenticated in her directory, she cannot enter the following URL, for example, to see a listing of all my javascript files: exampledomain/js/ (it seems that the logged in user "candy" retains the 
Options +Indexes
setting in all directories where it is not specifically denied, therefore, I had to add it at web root level).

The problem with this solution, which is why it has to be temporary, is that I want other administrators apart from me to be able to add new sub-contractor directories as required and password protect them using cPanel. The htaccess file for "candy" is now too complex for the average user of cPanel (in fact, it might not be possible at all via cPanel). that's why I was originally trying to do it for all sub-directories from "graphics". That would still be my preferred solution. Have I got a syntax error somewhere in my first solution preventing it from working?

g1smd

8:43 pm on Mar 20, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



I thought I posted some comments further up this thread. Did you try that suggestion?

rodneytoady

9:04 pm on Mar 20, 2011 (gmt 0)

10+ Year Member



Yes, thanks. I'm sorry, I was so involved with the code I forgot to acknowledge and say thanks. As you can see from my working temporary fix above, the "C:/xampp" part is in fact OK.

Thanks again.
Rodney

rodneytoady

9:18 pm on Mar 20, 2011 (gmt 0)

10+ Year Member



Solution:

I have now got my preferred solution working. There were syntax errors - the concept was OK. Here is correct syntax for anyone it might help:

htaccess at web root: 

DirectoryIndex index.html index.php

deny from all
<FilesMatch "^(index\.php)?$">
order allow,deny
allow from all
</FilesMatch>

#Disable directory indexing everywhere it's not specifically enabled
Options -Indexes


htaccess at "graphics": 

allow from all

AuthType Basic
AuthName "graphics"
AuthUserFile "C:/xampp/htdocs/.htpasswds/public_html/graphics/passwd"
require valid-user

Options +Indexes
IndexOptions -FancyIndexing



htaccess at "candy": 

AuthType Basic
AuthName "candy"
AuthUserFile "C:/xampp/htdocs/.htpasswds/public_html/graphics/candy/passwd"
require valid-user



The "candy" htaccess is now easily managed via cPanel. Thanks to moderator jdMorgan for the original code to limit access at web root level to index.php (earlier thread). Hope this helps someone. As sometimes happens, the process of asking the questions helped me arrive at the solution.

g1smd

12:16 am on Mar 21, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Thanks for posting your solution. Hopefully it will help someone else with a similar problem in the future.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 11:39 pm May 1, 2026