Fixing “Deny/AuthUserFile Not Allowed Here” Error in Apache .htaccess on Debian Wheezy


2 views

When attempting to implement password protection in Apache on Debian Wheezy, developers often encounter two frustrating errors in their error logs:

/var/www/ninja/www/.htaccess: deny not allowed here
# OR
AuthUserFile not allowed here

These errors typically appear even when file permissions are correctly set (www-data user/group) and the .htpasswd file is accessible.

The issue stems from Apache's configuration directives in Debian Wheezy where certain authentication modules aren't properly enabled by default. Unlike newer versions, Wheezy requires explicit module loading and proper AllowOverride settings.

First, verify all required modules are enabled:

sudo a2enmod auth_basic
sudo a2enmod authn_file
sudo a2enmod authz_user

Then modify your VirtualHost configuration to properly support .htaccess directives:


    ServerAdmin webmaster@localhost
    ServerName ninja
    DocumentRoot /var/www/ninja/www

    
        Options Indexes FollowSymLinks
        AllowOverride AuthConfig Limit
        Require all granted
    
    
    # ... rest of your config ...

Replace your current .htaccess with this more robust version:

AuthType Basic
AuthName "Restricted Area"
AuthUserFile /var/www/ninja/.htpasswd
Require valid-user

# If you need IP-based exceptions:
# 
#   Require ip 192.168.1.0/24
#   Require valid-user
#

For production environments, consider these enhancements:

# Place outside web root if possible
AuthUserFile /etc/apache2/.htpasswd-ninja

# Add brute force protection

    DOSHashTableSize 3097
    DOSPageCount 2
    DOSSiteCount 50

If issues persist:

  1. Run apache2ctl -t to test configuration
  2. Check SELinux contexts if applicable
  3. Verify .htpasswd permissions (640 with www-data owner)
  4. Test with curl -I http://ninja to see response headers

For better performance, move directives directly to your VirtualHost:


    AuthType Basic
    AuthName "Restricted"
    AuthUserFile /etc/apache2/.htpasswd
    Require valid-user
    # Additional directives...

Remember to restart Apache after changes: sudo service apache2 restart

When configuring password protection for an Apache virtual host on Debian Wheezy, you might encounter the frustrating "not allowed here" error in your .htaccess file. This typically occurs when Apache directives are placed in .htaccess without proper server configuration to permit them.

For password protection to work properly, you need three essential components configured correctly:

1. AuthType Basic
2. AuthUserFile pointing to your .htpasswd
3. Require valid-user

The root cause is often insufficient AllowOverride permissions. In your virtual host configuration, you need to explicitly allow authentication directives:

<Directory /var/www/ninja/www/>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride AuthConfig Indexes
    Require all granted
</Directory>

Notice we've changed two critical things:

  1. AllowOverride now includes AuthConfig
  2. Updated access control to use Apache 2.4 syntax (Require all granted)

Here's a properly configured .htaccess file that should work with the above configuration:

AuthType Basic
AuthName "Restricted Area"
AuthUserFile /var/www/ninja/.htpasswd
Require valid-user

Ensure the necessary Apache modules are enabled:

a2enmod auth_basic
a2enmod authn_file
a2enmod authz_user
service apache2 restart

Double-check that:

  • .htpasswd is readable by the Apache user (www-data)
  • .htaccess is readable by Apache
  • Both files have appropriate permissions (typically 640)

If issues persist:

1. Check Apache error logs: tail -f /var/log/apache2/error.log
2. Test configuration: apache2ctl configtest
3. Verify module loading: apache2ctl -M | grep auth

For production environments, consider:

1. Moving .htpasswd outside the document root
2. Using HTTPS to prevent password sniffing
3. Implementing rate limiting to prevent brute force attacks