how to deny access to a directory in .htaccess - .htaccess

I am trying to deny access to my pdfs directory so others cannot access the pdf files in that dir by trying something like www.example.com/pdfdir/test.pdf
Here is my .htaccess:
AuthType Basic
AuthName "Administrator"
AuthUserFile /home3/nimabida/public_html/power-plant/src/.htpasswd
Require valid-user
its ok for denying other request but now the problem is i cant show these files in my website and it require user/password there too! how can i show them without login?

You can't reliably block access to a directory if you want to be able to link directly to these files on your site and have them available to your users.
The "best" you can do is to check the Referer HTTP request header to make sure the user is following a link on your site and not typing the URL directly (ie. no Referer) or following a link from a 3rd party site. (But note that this is unreliable - see below.)
For example, in the /pdfdir/.htaccess file:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com/
RewriteRule ^ - [F]
Where example.com is your site's domain. This blocks any request that does not originate from your site. (Commonly referred to as "hotlink" protection.)
However, this is unreliable. A determined user can easily fake the Referer header to gain access to these files and some legitimate users may not send the Referer header so will be blocked.
The only way to reliably block unauthorised access is to use some kind of authorisation (username/password). But in this case, the files would ideally be stored outside of the document root and served to the client by your script once the user has been authenticated.

Related

AuthName in .htaccess not displayed in Chrome

I am trying to secure a website with an .htaccess file with Apache2. It works well but the message specified with the AuthName line is not visible on Chrome (but it is visible on Firefox !). What should I do to make it visible on Chrome?
Here is my .htaccess file
AuthType Basic
AuthName "Restricted Access"
AuthFile "/etc/apache2/.htpasswd"
Require valid-user
On Firefox the pop-up tells
The site ... is requesting your username and password. The site says: "Restricted Access"
But on Chrome it only tells
Sign in
What should I do to make it visible on Chrome?
There is nothing you can do.
The browser decides whether it wants to display this information to the user in some way, or not.
The phrasing used in the Apache documentation already hints at that (highlights by me) -
https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authname:
The string provided for the AuthName is what will appear in the password dialog provided by most browsers.
https://httpd.apache.org/docs/2.4/howto/auth.html#gettingitworking:
The AuthName directive sets the Realm to be used in the authentication. The realm serves two major functions. First, the client often presents this information to the user as part of the password dialog box. Second, it is used by the client to determine what password to send for a given authenticated area.
Here is a workaround which can give some info for your unlucky visitor, using custom error document feature after the login attempt fails:
Put this line into your .htaccess file:
ErrorDocument 401 YYYY-MM-DDTHHMM-Site-update-under-way-Estimate-30-min
The continuous text seems to get displayed after login fails or is canceled. No dots (.) or colons (:) allowed. Of course it should represent a valid filename, but if the user has no access to public_html due to login fail a file maybe can't be served anyway. If You can serve a proper 401 error page, You can explain the situation there.
(edit 1) Maybe this behaviour is a curiosity in my case with shared hosting. The shared server there seems to be nginx which I guess "is forced" to accept .htaccess directives.
(edit 2) Confirmed this behaviour also with Apache 2.4 server

How to stop access to text files?

In my yii project i have Changelog and Licence text files. I know about RBAC and applied it on every Controller but how can i prevent any guest user to view these text files. As till now anyone can view this.
I have used this in my htaccess file
<Files ~ "(.txt)">
Order allow, deny
Deny from all
</Files>
But this is worked for txt file and these files have no extension
You can block access to all the files without extension using this rule in your site root .htaccess or Apache config/vhost file:
RewriteEngine On
# If the request is for a valid file
RewriteCond %{REQUEST_FILENAME} -f
# if there is no extension then block
RewriteRule ^[^.]+$ - [F]
You question is a little board, and so the answer is a little general. but there are a couple approaches;
option 1. remove the Changelog and Licence files? if these are yii install changelog and licence then they dont need to be left on the server. just ensure you complying with the licence requirements.
option 2.
you mentioned "guest user" which htaccess is not going to integrate well with yii for authorized users. you could move the files into a folder with a .htaccess containing a single line Deny from all. this blocks everyone except the PHP executed on your server.
you can now create a method/action in a controller which just echos the file contents. file-get-contents or readfile. wrap this your authentication so only non-guest users are able to use the method.
if there are only two static files, then maybe just an 'action' for each. if its many files that are changing names etc, then you accept an id to the controller pass to a model that uses scandir and checks the file really exists and spits out your output to view.
option 2.1
instead of folder with a .htaccess you could also move the files to the parent of the webhost base dir if you have this access. this means that your webserver can not serve the file, but the php can still reach it with local paths.
option 3
in .htaccess you can use AuthType basic and will invoke your webserver to prompt the user for username and password as configured in the .htaccess. this is problematic as the interface is not user friendly and is very difficult to integrate with your webapps user db.
option 4
.htaccess can support other AuthTypes but option 2 becomes much easier at this point.

Disallow access and bot indexing in htaccess

A htaccess protected subdirectory of my website somehow has been indexed (months ago) by google. I had to add this directory to robots.txt but I don't want the protected url to be visible in robots.txt anymore.
I switched this directory to a new name and it won't probably be indexed again as it's not referenced anywhere but... just in case, I would like to add a noindex to it.
I added to my subdirectory .htaccess
Header set X-Robots-Tag "noindex"
It's working fine when I disable htaccess protection (I get the noindex header response). As soon as I add the protection
AuthType basic
AuthName "Restricted Area"
AuthUserFile /path/to/.htpassword
Require user admin
and simulate an error by hitting cancel on the authentication window, I get a 401 error and no "noindex" header.
Should I find a way to add a noindex on the 401 error page or is there an other way to manage that?

How do I use htaccess to limit access to entries?

I need to password protect a couple of entries on a site. It is easy to do at the template level but this is at the entry level. I am running Expression Engine.
I tried setting up an htaccess file but it is not yet effective.
It is like this:
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /home/server/.htpasswds/.htpasswd
AuthGroupFile /dev/null
<Files template_group/entry_name>
require valid-user
</Files>
Where template_group is the name of the actual template_group and entry_name is the actual name of the entry.
Any assistance will be appreciated.
Thanks.
While ExpressionEngine provides its own means for Template Access Restriction to password-protect pages and templates — including handling .htaccess Apache Basic HTTP Authentication — there are situations where you might not want to, or are unable, to use it:
For example, the Freelancer Version of ExpressionEngine doesn't include the Member Management Module, so the Template Preferences Manager doesn't offer Access Restrictions.
Also, if you elect to use ExpressionEngine's HTTP Authentication, only users with member accounts [in ExpressionEngine] will be able to login, since EE uses its local member database for authentication.
If you're the DIY type, you can modify your httpd.conf to limit and password-protect access to ExpressionEngine pages, entries and templates.
This technique works by:
Editing Apache's httpd.conf
Creating .htpasswd or .htgroup files
Specifying the URL(s) to Protect
Note: Since we are attempting to match objects at the URL level and not the physical filesystem, we must use a <Location> or <LocationMatch> directive1.
Put the following in your server's httpd.conf or vhost.conf file:
<LocationMatch "^/private">
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /path/to/website/.htpasswd
AuthGroupFile /dev/null
Require valid-user
</LocationMatch>
Be sure to change the values of the directive to your liking and your hosting environment.
If you haven't already, create the .htpasswd password file to encrypt the desired passwords, either using the command line or an Online .htaccess Password Generator:
htpasswd -c /path/to/website/.htpasswd username
If the htpasswd command is not in your Unix path, you'll have to type the full path to the file to get it to run. On my server, it would be:
/usr/sbin/htpasswd -c /path/to/website/.htpasswd username
Then, htpasswd will ask you for the user's password, and ask you to type it again to confirm:
# htpasswd -c /path/to/website/.htpasswd username
New password: changeme
Re-type new password: changeme
Adding password for user username
With everything in place and working, any request to /private* will be handled by Apache before it's routed to ExpressionEngine.
Voilà — Apache password-protected directories working in harmony with ExpressionEngine (or any CMS really, such as WordPress, MovableType or TextPattern).
The context of the <Location> directive specifies that it can only be used in server config and virtual host configuration files. This means we can't put the rules in a .htaccess file, otherwise Apache will throw a 500 Internal Server Error with the description "Location not allowed here".
If you are attempting to match objects at the URL level, you must use <Location>
If you are attempting to match objects at the filesystem level, you must use <Directory> and/or <Files>
I answered two similar questions on this subject that may be of benefit to you.
Nevertheless, there are several ways to password-protect pages in an ExpressionEngine site:
Template Preferences Manager
Conditional Global Variables
Third-Party Add-Ons
By far the easiest solution to your situation is to use the built-in Template Preferences Manager in the ExpressionEngine Control Panel and assign the "private" entries to a template that requires authentication.
A third-party add-on such as Entry Access by Yuri Salimovskiy of IntoEEtive may aide in your benefit. Entry Access enables you to restrict front-end access to certain channel entries for certain members or member group.

How secure is htaccess authentication

I need to protect a clients CMS with a username and password, only one username is needed. I was going to use htaccess because its so quick to add.
I'll be adding it using the password directories feature in WHM which stores the passwords here:
AuthUserFile "/home/username/.htpasswds/public_html/cms/passwd"
How secure is this? Are there ways to get into folders such as .htpasswds?
Straight from Apache's documentation
The most common method is Basic, and this is the method implemented by mod_auth_basic. It is important to be aware, however, that Basic authentication sends the password from the client to the server unencrypted. This method should therefore not be used for highly sensitive data, unless accompanied by mod_ssl. Apache supports one other authentication method: AuthType Digest. This method is implemented by mod_auth_digest and is much more secure. Most recent browsers support Digest authentication.
Please read the rest HERE
Please read the comments, things have changed since 2011. Good catch #reve_etrange
You should deny access to the folder that contains passwd files
<Directory /home/*>
Order allow,deny
Deny from all
Satisfy all
</Directory>
also don't forget that http traffic can be captured, so it won't suit for financial transactions.
As long as you set up the proper restrictions in your httpd.conf file to block external requests for .htaccess, and .htpasswd you should be okay.
You can block external requests (in Apache) with the following directives:
# The following code hides .htaccess and .htpasswd files from sites visitors.
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>

Resources