Protecting admin.php, the /install directory, and test & development installations using .htaccess

Protecting admin.php, the /install directory, and test & development installations using .htaccess

OK this is the last entry
[Mon Feb 01 16:24:26.898792 2021] [authn_file:error] [pid 105270:tid 139733648557824] (2)No such file or directory: [client 41.214.91.37:51466] AH01620: Could not open password file: /lamp0/web/vhosts/cocoriweb.community/htdocs/pwd/.htpasswd
Why server can't open the password file ? The path seems to be good

Capture d’écran 2021-02-01 163026.webp
 
If the file is physically present in the file system, then it could be a permissions issue, SELinux, or something else server side.
 
The path seems to be good
Is it? So you only used xyz to mask then?
AuthUserFile /lamp0/web/vhosts/cocoriweb.community/htdocs/xyz/.htpasswd

Try without the files and unneeded statements, like this:
Code:
AuthUserFile /lamp0/web/vhosts/cocoriweb.community/htdocs/pwd/.htpasswd
AuthName "ACP XenForo"
AuthType Basic

require valid-user

So just this, nothing more.

Next to that, I see you run a lamp server. Is that a Windows server? Windows does not do .htaccess.
Apache does, in that case you could check your apache2.conf file.

I don't know which config you have, I only use Linux dedi's and vps servers.

Check for a file, maybe like apache2.conf or /etc/apache2/sites-available/000-default.conf or something like that.
If it contains an Allowoverride statement like "AllowOverride None".
If it's none, change to All, restart apache and see if it helps.

Lie Brogan said, could also be permission or Selinux issue, hard to say from here.
 
Is it? So you only used xyz to mask then?
Finally i read my host doc and i have to put the file here /lamp0/web/vhosts/cocoriweb.community/.htpasswd
But i've got the same error...

Apache does, in that case you could check your apache2.conf file.
It's Apache
Code:
Server Settings

Server Version: Apache/2.4.43 (Unix)
Server Built: May 28 2020 14:30:24
Server loaded APR Version: 1.5.2
Compiled with APR Version: 1.5.2
Server loaded APU Version: 1.5.4
Compiled with APU Version: 1.5.4
Module Magic Number: 20120211:92
Hostname/port: 3725721.admin.sd5.gpaas.net:443
Timeouts: connection: 300    keep-alive: 5
MPM Name: event
MPM Information: Max Daemons: 2 Threaded: yes Forked: yes
Server Architecture: 64-bit
Server Root: /srv/data/.config/apache
Config File: /srv/data/.config/apache/modules/common/alias.conf
Server Built With:
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D HTTPD_ROOT="/opt/apache2-2.4.43-202005281629/"
-D SUEXEC_BIN="/opt/apache2-2.4.43-202005281629//bin/suexec"
-D DEFAULT_PIDLOG="var/run/apache2/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="etc/apache2/mime.types"
-D SERVER_CONFIG_FILE="etc/apache2/apache2.conf"

But i can't see apache2 folder in etc/
Maybe because i'm on shared hosting ?
 
Last edited:
You might best ask your host in this case.
What is he using, can it be a mod_security issue, an allowoverride limitation or due to nginx configuration.
Hard to say. And to be fair, as said I never used lamp.
 
This is something very good but I have a question about IP. IP address changes all the time, if I do not use the internet my old IP will go to someone else and I will get someone else's IP when I am out on the internet again. Or is it me who's wrong?
 
Please assist me guys...

I've followed all the steps and everything works except when the prompt pops up on mydomain/admin.php and i type in my password found in psswds and the username as ACP nothing works it just tell me to login again? Have i missed something. I believe i must do something wrong when it comes to the password or username 😁
 
If you enter incorrect log in credentials then you would get a 401 unauthorised error.

If the page is just reloading that sounds like something else.

I have just checked the site listed against your license and I don't get the auth prompt.
 
If you enter incorrect log in credentials then you would get a 401 unauthorised error.

If the page is just reloading that sounds like something else.

I have just checked the site listed against your license and I don't get the auth prompt.
I removed since it didn't work do you want me to add it back?
 
I note that you have cPanel so it should be fairly straightforward to implement using the Directory Privacy app.

Contact your host if it still doesn't work using that.
 
I note that you have cPanel so it should be fairly straightforward to implement using the Directory Privacy app.

Contact your host if it still doesn't work using that.
I did but they don't understand the issue. Is there any other solution, perhaps you could help me using teamviewer? Really want this to work I've done everything but as you said when I attempt to login it just refresh... where is the pswdss folder suppose to be? in public_html where xenforo is installed? Please help.
Sad 3D GIF by Irakli Gharibashvili Jr.


The only thing that works is using the IP method. guess that's more secure anyway. i´ll be using that.
 
Last edited:
I used the .htaccess snippet in the first post and it works like a charm, however I noticed if I attempt to access admin.php from my mobile device I get a 404. Mobile access works fine when commenting out the block. Any idea why it would behave differently on mobile than it does on desktop? Is it just a matter of mobile not supporting basic auth?
 
It's device independent.

A 404 is a not found error so confirm the URL your mobile is trying to load.

If it is the actual admin.php URL then you likely need to speak to your host to investigate.
 
Hey Guys,
So I have installed xenforo latest version
So I had htaccess.txt I renamed it to .htacess
However I modified it as shown in the instructions in this thread and it is still not working?
I am using digital ocean to host my droplet?
Thank you.
 
This is a little off-topic but related to htaccess server passwords.

Is there any utility out there (need not be XF-related) that lets users change their own passwords? We keep the test forum behind an htaccess password and invariably, someone forgets theirs. I end up having to go generate a new password on the command line. I do this because all staff has access to the test forum (and in admin.php soon as well), but when someone leaves the staff, we remove their htaccess login info.

Years ago there was a PHP script that let users modify passwords, yet they could edit anyone's password, not just their own...and that, too, had to be protected behind the same login password they were looking to change. I didn't know if there was some sort of "self-service" script out there where staff could reset their own passwords if they forgot them.
 
Top Bottom