Why isn't Apache Basic authentication working?

Solution 1:

I had a similar problem with Digest authentication on a fresh 2.4 install. Looking closely at the documentation on Apache's site, it looks like the authentication directives need to be in a <Location> tag rather than a <Directory> tag. See the documentation for the AuthBasicProvider directive.

Solution 2:

I faced the same problem, and nothing from this post have helped me, so I'll add my 2 cents. In my case (apache 2.4) the problem was in the sequential Require directives.

By default, if you have more than one Require directives, they are considered as <RequireAny>

In my <Directory> I've had

Require ip 192.168.100.0/24 10.9.8.0/24
Require valid-user

So auth request didn't appear if IP was correct. I've had to switch Require logic from <RequireAny> to <RequireAll> and it seems that now everything works correct.

   <Directory /var/www>

      DirectoryIndex index.html
      Options -Indexes

      AuthType Basic
      AuthName "hidden data"
      AuthBasicProvider    file
      AuthUserFile /opt/httpaswd
      <RequireAll>
        Require ip 192.168.100.0/24 10.9.8.0/24
        Require valid-user
      </RequireAll>
    </Directory>

Solution 3:

jscott's answer is incorrect. Apache 2.4 most certainly does allow authentication directives in <Directory> containers. Moreover, this is the only secure way to implement authentication, as <Location> containers can be accessed in different ways, allowing your authentication to be circumvented if you're not careful.

For the sake of reference, here is a sample container I am using on a production system:

<Directory "/srv/http/my_domain.org/html/secret-stuff">
    Options Indexes Multiviews FollowSymLinks
    AuthType Digest
    AuthName "staff"
    AuthUserFile /etc/httpd/private/secret-stuff.htaccess
    Require valid-user
</Directory>