File path for .htaccess to password protect directory

Hi team,

I recently migrated from VestaCP to HestiaCP and I am trying to understand why the file path I have in my .htaccess file (to set a directory password) is failing. Its causing a 500 error. The only change is the username which I updated accordingly but the file path is the same and O/S (Debian) is the same. I am sure its silly typo but can’t get it to work.


AuthGroupFile /dev/null
AuthType Basic
AuthUserFile /home/myusername/web/
AuthName “Secure Area”
require valid-user
ErrorDocument 401 “Unauthorized Access”

File .htaccess is placed in both /public_html/photos & /mydomain

Should it work exactly the same as per VestaCP? I looked on the forums and it hasn’t come up so I am assuming I have done something wrong.


Hi @phez

Anything in the web log of the related domain? It could lead you to the source of your issue.

Should’nt that be ?

1 Like

It could be so great if we could just check a box in the HestiaCP backoffic0e to enable or disable http protection at a site. We’re starting to get used to all those cool little things that make our lives easier, version after version.

1 Like

Integration into the admin panel is quite hard with the current file manager…

1 Like

@eris: super cool! I’m not afraid of the command line.
For delete http auth user it seem to remove only the access for a auth user.

But how to remove the all domain protection? (to switch in production mode)


I’ve made a small tutorial on how to do this, easily. If someone knows bash, better than me, you can make it a bash command. Or just add it directly to the file explorer in Hestia.

Create a new, encrypted .htpasswd file with the used admin. You can add to this file, just remove the ‘-c’. It will ask you for a password. This file can be anywhere on the server. The file (.htpasswd) can be named anything, it doesn’t matter.

htpasswd -c /home/user/web/domain/.htpasswd admin

Create a .htaccess file in the folder you want to protect

AuthName "Restricted Area"
AuthType Basic
AuthUserFile /home/user/web/domain/.htpasswd
require valid-user


In my case I have an issue, if you send a request to the protected folder :

/test/ = OK it’s asking for auth, and if I cancel I get a 401 error.
/test/index.html : KO (it’s not asking for auth and you gain access)
/test/test.html : KO (it’s not asking for auth and you gain access)
/test/test.avi : KO (it’s not asking for auth and you gain access)
/test/test.test : OK it’s asking for auth, and if I cancel I get a 401 error.

It’s like some regular extension are KO but unknown extension will work.

I tried and reproduced this problem on a fresh installed Hestia : v1.4.17 - Ubuntu 20.04 (x86_64)

If you have configured some basic http auth like this on you server, do you have the same problem ?


I didn’t test this until now, but you are right. It doesn’t work as expected. I assume you have the default Hestia setup, with apache and nginx, like me. I don’t have any servers with apache alone, so I can’t test this, but this short htaccess was taken from my old cpanel install and it should work. I assume it doesn’t because of some nginx caching thing.

I can see that a html file in the folder is displayed first and then the browser prompts me for a password. It might be an nginx proxy thing or a Hestiacp bug…

1 Like

Files listed in the proxy list are only server by Nginx and bypasses Apache / .htaccess