How to Fix “AuthType Not Allowed Here” Error in Apache VirtualHost Configuration


2 views

When setting up authentication for Mercurial repositories via Apache HTTP Server, many developers encounter the frustrating "AuthType not allowed here" error. The root cause typically stems from incorrect directive placement within the VirtualHost configuration.

Authentication directives must be placed within appropriate context blocks. For Mercurial CGI access, we need to wrap them in either:

<Directory>
<Location>
<Files>

Here's a properly configured virtual host setup that works with Mercurial:

NameVirtualHost *:8080

<VirtualHost *:8080>
    ServerAdmin webmaster@localhost
    UseCanonicalName Off
    
    <Directory "/usr/lib/cgi-bin">
        Options +ExecCGI
        AddHandler cgi-script .cgi
        
        AuthType Basic
        AuthName "Mercurial Repositories"
        AuthUserFile /etc/apache2/hg-auth
        Require valid-user
    </Directory>
    
    ScriptAliasMatch ^(.*) /usr/lib/cgi-bin/hgwebdir.cgi/$1
</VirtualHost>

Use htpasswd to create and manage users:

sudo htpasswd -c /etc/apache2/hg-auth username

After making changes, always:

sudo apache2ctl configtest
sudo systemctl reload apache2

Check error logs if issues persist:

tail -f /var/log/apache2/error.log

For more granular control, you can use Location blocks:

<Location /mercurial>
    AuthType Basic
    AuthName "Restricted Access"
    AuthUserFile /etc/apache2/hg-auth
    Require valid-user
</Location>

For high-traffic repositories, consider:

  • Using AuthGroupFile for team permissions
  • Implementing caching authentication with mod_authn_socache
  • Switching to more efficient authentication backends (DB/LDAP)

When setting up Mercurial repository access through Apache HTTP Server, basic authentication is often required for security. The error message "AuthType not allowed here" typically indicates a configuration issue in the virtual host setup.

The key issue is that authentication directives must be placed within specific context blocks. Here's a corrected version of your configuration:

NameVirtualHost *:8080

<VirtualHost *:8080>
    UseCanonicalName Off
    ServerAdmin webmaster@localhost
    AddHandler cgi-script .cgi
    ScriptAliasMatch ^(.*) /usr/lib/cgi-bin/hgwebdir.cgi/$1
    
    <Directory "/usr/lib/cgi-bin">
        AuthType Basic
        AuthName "Mercurial Repositories"
        AuthUserFile /usr/local/etc/httpd/users
        Require valid-user
    </Directory>
</VirtualHost>

Before the configuration will work, you need to create the password file and add users:

htpasswd -c /usr/local/etc/httpd/users username

This command creates the file (-c flag) if it doesn't exist and adds the first user. For subsequent users, omit the -c flag:

htpasswd /usr/local/etc/httpd/users anotheruser

If you need to protect specific paths rather than the entire cgi-bin directory, you can use Location instead:

<Location /mercurial>
    AuthType Basic
    AuthName "Mercurial Access"
    AuthUserFile /usr/local/etc/httpd/users
    Require valid-user
</Location>

Common issues to check if authentication still doesn't work:

  • Ensure Apache has read access to the password file
  • Verify the AuthUserFile path is correct
  • Check that the mod_auth_basic module is loaded
  • Confirm the directory block covers the path being accessed

While basic authentication works, consider these enhancements:

# Add these to your authentication block:
AuthBasicProvider file
AuthUserFile /etc/apache2/.htpasswd
Require valid-user

# For better security, add SSL
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key