Hi, have the following code in /etc/httpd/conf.d/ssl.conf
> <VirtualHost xxx.xxx.xxx.xxx:443>
> DocumentRoot "/var/www/html"
> > <Directory "/var/www/html">
> > AllowOverride All
> > AuthType Basic
> > AuthUserFile /etc/httpd/conf/webpass
> > AuthName "RESTRICED ACCESS"
> > require valid-user
> > satisfy any
> > Order allow,deny
> > Deny from all
> > Options -Indexes
> > </Directory>
Going to https://server.domain.tld the htpasswd dialogue pops up as it should. However going to http://server.domain.tld/admin/config.php No htpasswd dialgue box appears.
What might be the cause of this since it was thought anything below /var/www/html requires credentials such as /var/www/html/admin
Because there is an .htaccess file in /var/www/html/admin that is overriding the Apache config. You should update your Apache config to not allow overrides, which it is allowing currently.
Regardless of what is put into <Directory “/var/www/html”> it doesn’t stop anyone from getting to FreePBX login page. ht is ignored. What does work is mv .htaccess htaccess in /var/www/html/admin. This way no one gets to FreePBX login page if they can’t get passed entering correct credentials for htpasswd box.
And how are you attempting to disallow the overrides? Show your actual work here so there isn’t guessing.
Already stated the fix above. In
/var/www/html/admin # mv .htaccess htaccess
In httpd ssl.conf have:
AllowOverride AuthConfig FileInfo Options
AuthName “RESTRICTED ACCESS”
Deny from all
You are still allowing access here. Instead of allowing All directive access you are now allowing three specific directives. AuthConfig is the directive for authentication so you are still telling the server to allow .htaccess to override the auth configuration. Changing .htaccess to htaccess isn’t a proper fix as FreePBX could/probably will just write out the .htaccess file again.
Properly configuring your ssl.conf file will fix the problem.
AllowOverride None << stops the .htaccess file from doing anything.
ssl.conf now has:
# AuthConfig FileInfo Options
AuthName "RESTRICTED ACCESS"
Deny from all
# mv /var/www/html/admin/htaccess /var/www/html/admin/.htaccess
# systemctrl restart httpd
Tried the URL for both / and /admin/config.php and you were right on, htpasswd dialogue box pops up.
Thank you for your help with this.
Now what is being seen with
AllowOverride None is constant htpasswd dialogue box popup. Even when exiting FreePBX it displays htpasswd dialogue box. So far the only solution is to add
require ip xx.xx.xx.0/24 for the range allowed into the FreePBX server. I think the problem lies in the .htaccess in /admin but as you’ve written, that file would probably be overwritten on an update. There is a way to fix that too but it might impact other URLs used to access other parts of FreePBX.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.