On Sat, 2023-04-29 at 17:39 +0100, Patrick O'Callaghan wrote: Further thoughts... That error sound backwards. A password mismatch ought to be authorisation failure (you are not authorised). An authentication failure would be some other problem (it can't do the authentication). Are all the failures for trying to access the same thing? The .htpasswd file should be outside of the webserving tree. Are you sure you're only using one file, or are correctly specifying the right one? The .htaccess files which mention which .htpasswd file to use should use the full filepath to the .htpasswd file. And mention the correct type of authentication being used (bearing in mind that only some methods are actually usable). And you have to use the same scheme when creating the passwords. AuthType Basic AuthName "Secure space" AuthUserFile /var/www/.htpasswd Require valid-user Satisfy All Have you looked through Apache's own docs regarding it? e.g. https://httpd.apache.org/docs/2.4/programs/htpasswd.html -- NB: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the list. The following system info data is generated fresh for each post: uname -rsvp Linux 6.2.8-100.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Mar 22 19:14:19 UTC 2023 x86_64

Tim: Patrick O'Callaghan: Not on my server. Well, it's semantics. If I don't enter the password, or try the wrong one, it's an authentication ERROR, and I am not authorised. ------------------- 401 error (proper authorisation is required) Authentication error information The resource you tried to retrieve requires you to provide username and password credentials, but your request either didn't include them, or didn't include them properly. ------------------- And the logs will have something like: [Sun Apr 30 15:49:14.261826 2023] [auth_basic:error] [pid 18610] [client 192.168.1.1:36072] AH01618: user gfgaa not found: /personal/testbox/strong/ I wouldn't call that an auth failure, it's actually doing its job. If I configure the server incorrectly, I may get a 500 error, but that will be an authentication failure (it can't do the job). e.g. If I try to use MD5 when it's not possible, I will get a 500 error ----------------------- 500 Internal Server Error Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. ------------------------ And this in the logs: [Sun Apr 30 15:44:36.485184 2023] [authn_core:error] [pid 19426] [client 192.168.1.1:36034] AH01796: AuthType MD5 configured without corresponding module -- uname -rsvp Linux 3.10.0-1160.88.1.el7.x86_64 #1 SMP Tue Mar 7 15:41:52 UTC 2023 x86_64 Boilerplate: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the mailing list.