My apache 2.4 vhost configuration looks like this:
<Directory />
Require all denied
</Directory>
<Directory /http/mystuff.org/html>
Options FollowSymLinks Indexes Includes
XBitHack on
Require all granted
</Directory>
<Directory /http/mystuff.org/html/secretstuff>
Options Indexes FollowSymLinks
AuthType Digest
AuthName "archives"
AuthUserFile /etc/httpd/private/secretstuff.htaccess
Require valid-user
</Directory>
The Require valid-user directive is simply ignored (i.e. anyone can get to the secretstuff folder without having to authenticate) and I can't figure out how to make it work. I've tried adding Require all denied to the beginning of the , tried using <Location> instead of <Directory> (someone on stackexchange suggested this), but nothing seems to work. I even tried
<RequireAll>
Require valid-user
</RequireAll>
thinking this might be needed because of the Require all allowed in the parent directory, but this didn't work, either. I've read through the apache 2.4 documentation a half a dozen times now and haven't a clue as to why my directives to require a valid user are being ignore. The same configuration worked fine in apache 2.2.
Finally, I believe I have all the necessary modules loaded:
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authz_user_module modules/mod_authz_user.so
<Location>instead of<Directory>. From testing on another system I know this isn't true, and it didn't work for me in any case.http://serverfault.com/questions/373104/why-isnt-apache-basic-authentication-working
– pgoetz Jan 30 '15 at 19:51