HTACCESS Protection.. not condom for the web but similar

Target:
create an apache authentication using htaccess file. the simplest password protection for the web.

env:
Redhat enterprise 4, Apache 2.0

Do:
1. Create .htaccess file in /my/web/directory/to/protect
.htaccess is a flat file(text file)
here is what I put in the file(feel free to copy and paste this)
#--------------------------------------------------------------
AuthUserFile /my/user/file/info/.htpasswd
AuthGroupFile /my/group/file/info/.htgroup
AuthName "my protected server"
AuthType Basic


require group myself

#---------------------------------------------------------------

2. create user
add first user:
~xxx>htpasswd -c /my/user/file/info/.htpasswd user1

next will be asked for password twice

add other user:
~xxx>htpasswd /my/user/file/info/.htpasswd user2

3. adding user to a group

open the file /my/group/file/info/.htgroup using pico or any text editor. The configuration of this file is very simple (i.e.: groupname: username username2)
so we are going to add this line in the file

myself: user1 user2

5. set the user file and group file so its readabl e by others

~xxx>chmod 755 /my/group/file/info/
~xxx>chmod 755 /my/user/file/info/
~xxx>chmod 755 /my/group/file/info/.htgroup
~xxx>chmod 755 /my/user/file/info/.htpasswd


thats it. now you can use the password protected directory.
to remove user, open this file /my/user/file/info/.htpasswd
and delete the line with username in it.



Problems:
1. Can not login , pop up windows asking the user and password again and again

solution:
check the apache error log

1. Make sure the group file and the user file is readable by others by doign the chmod above
2. Make sure you are referring to the correct userfile and group file in .htaccess
3. if you got below error or similar:

[Tue Nov 01 17:48:14 2005] [error] [client 10.1.2.69] MySQL ERROR: Access denied for user 'apache'@'localhost' (using password: NO)
[Tue Nov 01 17:48:14 2005] [error] [client 10.1.2.69] MySQL user pujo not found: /finsum_reports

this is happend because apache look for user in mysql password file instead of the password file we gave. The current solution I have is to delete the mod_auth_mysql from apache.

~xxx> rpm -e mod_auth_mysql

and try again.....

tips:
1. put he user file and groupfile out side the web folder but still under apache folder , so can not be browsed from browser (i.e. /user/local/apache2/cgi-bin/.htpasswd)
2. protect the the password and group file against it self using .htaccess
3. Using SSL will add more security since the username and password for this type of authentication is wide open to the public.


have fun trying