Htaccess file gets ignored (while trying to double-secure Plesk)

Tag: .htaccess Author: e0464011 Date: 2009-10-13

I'm a beginner running 1&1's default customer-self-manages Apache setup, which has Plesk pre-installed. The Plesk site is at https://example.com:8443/ (where example.com is my registered domain) and brings up a PHP-based login page. However, I'd like to additionally secure this app with an htaccess, HTTP-based authentication request (because I might not update Plesk in time should there be Plesk security bugs, and somehow feel better not having the PHP files lying around publicly, if PHP-protected). However, logging in via SSH as root and dropping .htaccess files into folders I figured were relevant -- like /usr/local/psa/admin/htdocs/, among others -- does not bring up the http authentication when requesting the page in a browser. What should I do?

PS: The same .htaccess file works well in other folders I want to secure (I also tried chmod 644). It basically contains this:

AuthType Basic
AuthName "John Doe Management Access" 
AuthUserFile /johndoe/.htpasswd
require user johndoe_user

PPS: My .htaccess file seems to be there alright, as https://example:8443/.htaccess brings up a "no permission" page, whereas https://example.com:8443/.htfoo brings up a "not found" page. Perhaps htaccess files are just not correctly configured to be, well, htaccess files for the port and site in question?

Other Answer1

We just had the same problem (although not with Plesk)

Turned out that the vhost configuration had the directive:

AllowOverride None

This meant that the .htaccess file was being completely ignored (even if we entered garbage into the file)

The fix was to set the directive to:

AllowOverride AuthConfig

Then all you need to do is restart your apache server