Missing update of .htpasswd

    Hello,


    a customer of me changed his control panel login password.


    He filled a support ticket, that for "domain.tld/stats" he can not
    login anymore.
    He's getting allways login error.


    I check his logfiles and there is shown:
    [Wed Jun 10 14:28:46.984224 2015] [auth_basic:error] [pid 30689:tid 140473241831168] [client 1.2.3.4:46704] AH01617: user domain.tld: authentication failure for "/stats/": Password Mismatch


    The reason was that the file:
    "/var/www/virtual/domain.tld/.htpasswd"
    has not changed.
    It seems that the password change of control panel has not
    included the change of password in ".htpasswd" for users.


    After i updated this, i checked the "Web statistics" of all
    domains.
    I see for all domains, execpt one, only "white" statistics page.
    The one i see statistics for, is the first domain listed in :
    /etc/apache2/sites-enabled


    Following is in access.log :
    There is first line : "GET /stats/ HTTP/1.1" 401 680 "-"
    all following "GET /stats ..." have response 200 code.


    Is there any miss-configuration?
    How to resolve this?



    Kind regards


    System is :
    Ubuntu 14.04.2, kernel 3.13.0-53-generic
    i-MSCP 1.2.2
    Apache 2.4.7-1ubuntu4.4
    PHP 5.5.9-1ubuntu4.9 , Zend Engine v2.5.0 , ionCube PHP Loader + Intrusion Protection v5.0.7, Zend OPcache v7.0.3
    Perl v5.18.2 built for x86_64-linux-gnu-thread-multi

    On initial customer creation .htpasswd is created with same credentials as the customer. After that the customer can use Webtools / Protected areas to change his .htaccess/.htpasswd credentials independently of panel login.
    This is expeted behaviour. In case a customer creates .htpasswd not only for himself but also for other users, those should not be overwritten.

    Hello,


    @flames


    Yes thats what we did now. This solves the problem with wrong
    password in .htpasswd.
    But why was password not correct the first time?
    This customer signed up on 8th this month. There was
    nothing changed in the meantime.


    I just checked this for a new domain i got some days ago
    (this is a fully managed account with web design).
    This has the same behavior, i needed to set the password for
    .htpasswd once more in control panel, and then statistics
    accept it.
    I have not had this before with the existing domains.


    Thanks for helping


    Kind regards

    It's due the password for htaccess user with customername (maindomain) + registered password? As I know there was a bug long time ago, that on account password changing the htaccess password was still the old one. May it's because of that.
    If you get this problem again with a newer imscp version, please repost.

    Hello,


    no it is when the account is created new.
    So i can not use "domain.tld/stats" because
    browser says wrong password.
    But then i checked with command "htpasswd -v ..."
    and it says its OK.
    Then i set password from control panel to the
    same it was, and then it is accepted by browser.


    Could this be a problem of firefox 38... ?


    Kind regards

    Ok again:

    • You created a new user
    • You tried to access userdomain.tld/stats -> The password was not accepted
    • You tried to verify the htpasswd file -> Seems ok
    • You renewed the password -> Now also works in browser

    If yes, can you please add a new user and then access again to the stats via browser. If the password will not be accepted, restart apache2 and try again. Then repost please :D

    Hello,


    @Ninos


    Yes i just tried with a new domain.


    Everything is fine now!


    The reason for all these troubles was simply i have
    put following lines:
    ---
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    Header always set X-Frame-Options DENY
    ---
    in file:
    /etc/apache2/mods-available/ssl.conf


    Which is the wrong place.


    Since i moved them to:
    /etc/apache2/sites-available/domain.tld_ssl.conf
    file, everything is ok.


    This was also the reason for the blank, white page for statistic pages (see my first post).


    Thanks for helping


    Kind regards

    Such customizations need to be mentioned on bugreport. Nice that you've solved your problem.