One bewildering observation on a low-traffic, co-hosted account (hence no logs, & unusual first lines required in .htaccess) by a provider using Apache 1.3.29: Some directories didn't seem to get the password protection they deserve. I figured out that the protection on every level in the directory tree can be obtained by creating this structure of subdirectories below root: /1/2/3 - and then uploading an .htaccess with these contents into each of them: PerlSetVar AuthFile /.htpasswd AuthType Basic AuthName "confidential documents" require valid-user Apache requires a password on http://site.dom/1/2/3, http://site.dom/1/2 and http://site.dom/1 - however when uploading a different .htaccess that is supposed to open up (ONLY) http://site.dom/1/2 to the "middle" directory of /1/2, something unexpected is caused by this /1/2/.htaccess file: PerlSetVar AuthFile /.htpasswd AuthType Basic AuthName "wide open" order deny,allow Satisfy any Besides directory 2, its subdirectory 3 becomes accessible without credentials, as well, although the more restrictive version of .htaccess has remained in...3 and should therefore be unaffected by any changes to /1/2/.htaccess - is there any explanation for this, and a way around the issue? (The format of .htaccess being largely restricted by the hosting provider's requirements, of course...)? If this is a "feature", how does one make sure that the .htaccess placed in the "sub-sub-subdirectory" /1/2/3 is observed, so 3 will not be affected by changes to the .htaccess for its parent directory, i.e. remain protected just like /1 ? --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|