Owncloud using apache htaccess (htpasswd) authenication

midiman32 · July 31, 2016, 9:55pm

Hi all,

Just downloaded OC 9.1.0 and I'm having a couple issues with it that I cant find a solution to as of yet. I'm running Slackware 14.1 with the stock Apache 2.4.10 and I have an .htaccess setup in the root of my webserver with Authtype Basic with an .htpasswd as the user database requiring login when you connect to the webserver. Owncloud is in an owncloud folder off root (/owncloud). Owncloud seems to be picking up on that and when the user logs in to my Webserver with their credentials in .htpasswd, Owncloud uses those credentials if an owncloud user exists with the same username and password. It automatically logs in and takes the user to the Files page. I've been trying to undo this behavior as it also brakes all the desktop/mobile clients as they display wrong username and password error (as I understand from reading, owncloud isn't handling login processing at that point).

Here is my .htaccess from the root of my webserver:

`AuthName "This service requires authentication:"
AuthType Basic
AuthUserFile /my/path/to/.htaccess

AuthGroupFile /dev/null

require valid-user
Order Deny,Allow

Deny from All

Options +FollowSymLinks -MultiViews

Turn mod_rewrite on

RewriteEngine on
RewriteBase /

RewriteCond %{HTTP_HOST} ^domain.com$
RewriteRule (.*) https://www.%{HTTP_HOST}/$1 [R=301,L,NE]

RewriteCond %{HTTP_HOST} ^www.domain.com
RewriteCond %{THE_REQUEST} \s/+(?:index)?(.*?).php[\s?] [NC]
RewriteRule ^ /%1 [R=301,L,NE]

remove slash if not directory

RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} /$
RewriteRule ^(.+?)/$ $1 [R=301,L,NE]

add .php to access file, but don't redirect

RewriteCond %{REQUEST_FILENAME}.php -f
RewriteCond %{REQUEST_URI} !/$
RewriteRule (.*) $1.php [L]
`

The .htaccess in owncloud folder is untouhced. Here is my Apache vhosts section for this webserver:

`
ServerAdmin admin@server.com
DocumentRoot "/my/path/to/webserverroot/"
ServerName myservername.com

SSLEngine On

ErrorLog "/var/log/httpd/localtv-error_log"
CustomLog "/var/log/httpd/dummy-host2.example.com-access_log" common

`

If there is any more information that you need let me know. I have also read that basic auth is a known problem with owncloud and it may have to be disabled. I could work with that if I had to.

Thanks in advanced for any help.

tflidd · July 31, 2016, 11:27pm

I only found this old entry on github:

There should be something more recent. If you want an additional protection layer, you can make owncloud only accessible through a VPN.

anon30676603 · August 1, 2016, 4:53am

Also quoting from the documentation:

You must disable any server-configured authentication for ownCloud, as it uses Basic authentication internally for DAV services. If you have turned on authentication on a parent folder (via e.g. an AuthType Basic directive), you can turn off the authentication specifically for the ownCloud entry. Following the above example configuration file, add the following line in the <Directory section:

Satisfy Any

https://doc.owncloud.org/server/9.1/admin_manual/installation/source_installation.html#additional-apache-configurations