PHP生成的.htpasswd放在哪里？

Question

I am creating a PHP based web application which requires simple authentication to use. The application is made to be installed on a web server and used only be the owner of the web hosting/server, so there will only be one user and password. I figured there was no point in creating a complicated login system. I would just create a GUI to generate .htaccess and .htpasswd files to use Apache's authentication. The idea behind it was that it was supposed to simple, however it is turning into more of a job than I anticipated. I realized I have to place the .htpasswd file somewhere secure, meaning not in a web accessible directory. The problem is that web servers often have different filesystems and permissions, so where can I place it where it will be safe? I was able to create a directory with "740" permissions, which should be secure, from what I can tell. However, this is inconvenient. The application really should be limited to one folder, and if necessary a stray .htpasswd file. I would love to place the .htpasswd in the application folder, but I believe that is not possible if it is secured by the .htaccess file, when I tried it seemed to cause server errors. If anybody has a solution to that or a better place to put the .htpasswd file it would be greatly appreciated!

Answer 1

By default apache should be configured not to serve any .ht* files by this rule:

<FilesMatch "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</FilesMatch>

So it should be secure to place this file wherever you want.

If you are encountering server errors check for mod_auth if it is compiled/enabled in apache installation and if your virtual host/webroot has AllowOverride AuthConfig