I was recently using cPanel to password protect a directory on a website. It was all point-click, so should have been simple and just work, except it didn’t. After entering your login credentials, the server would return an error instead of giving you access to the directory contents:
Error 500: Internal Server Error
By password protecting the directory, cPanel was adding this to .htaccess in the protected directory:
The problem was that cPanel was putting the password into a file that the apache process could not access. For whatever reason, the apache process could not read .htpasswds/public_html/protected-directory/passwd to check the credentials.
The fix was to move the password file to somewhere the apache file could access it. In this case, I put it into the web root:
I made it an “hidden” file by prefixing it with a “.” and this prevents it from being served up on the website. The AuthUserFile entry was set to point to this file:
There will be other ways to solve the problem, other users running the httpd process and other security concerns to take into account, but making sure the password file can be read by the httpd process serving the site from account-name was the key.