I am trying to configure basic auth for my index file, and only my index file. I have configured it like so:
<Files index.htm>
Order allow,deny
Allow from all
AuthType Basic
AuthName "Some Auth"
AuthUserFile "C:/path/to/my/.htpasswd"
Require valid-user
</Files>
When I visit the page, 401 Authorization Required is returned as expected, but the browser doesn't prompt for the username/password. Some further inspection has revealed that Apache is not sending the WWW-Authenticate header.
GET http://myhost/ HTTP/1.1
Host: myhost
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.100 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
HTTP/1.1 401 Authorization Required
Date: Tue, 21 Jun 2011 21:36:48 GMT
Server: Apache/2.2.16 (Win32)
Content-Length: 401
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Authorization Required</title>
</head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>
Why is Apache doing this? How can I configure it to send that header appropriately?
It is worth noting that this exact same set of directives work fine if I set them for a whole directory. It is only when I configure them to a directory index that they do not work. This is how I know my .htpasswd and such are fine.
I am using Apache 2.2 on Windows.
On another note, I found this listed as a bug in Apache 1.3. This leads me to believe that this is actually a configuration problem on my end.
I can reproduce this on Apache 2.2 under Fedora. This seems to be a bug. A work-around is to use:
<Files ~ "(^index.htm$)|(^$)">Here is another similar bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=46685
For a simple case, your config looks fine (see this post for an example), so I would start by looking at any factors that might make this a not-simple case and eliminating them until you find the one that's causing the problem.
For instance:
The Apache docs have a nice page detailing how Directory, Files, and Location work, with some examples, for further reference.
You might want to start off by adjusting your Files directive (<Files ./index.htm>), otherwise it will match any index.htm files in the entire directory structure under that .htaccess.
The configuration you posted works perfect on a Debian - Apache 2.2 install. I'd suggest attempting to see if placing it in a
<Location>directive - and try it on 2 different browsers.I'm thinking that there is a conflict between the directive:
and the directive
I'm wondering if you drop the allow from all from the configuration record, this might do what you want to do.
BTW, I'd change the Files index.html to Location /index.html instead as well.