Amazon Cloudfront and .htaccess/.htpasswd - .htaccess

I'm testing Amazon Cloudfront on a dev environment which is protected by .htaccess/.htpasswd.
The password protection on the dev server is causing all of the cloudfront.net assets to be password protected as well. And no username/password combination works (the poppin just keep asking for password again and again).
I cannot remove the password protection.
I have see this other topic Amazon Cloudfront and .htaccess with the same request.
When I add this code to mine, the password protection is not displayed.
My .htaccess file:
SetEnvIf User-Agent ^Amazon Cloudfront$ cdn
ErrorDocument 401 default
AuthName "ACCESS"
AuthUserFile /var/www/html/folder/.htpasswd
AuthType Basic
AuthGroupFile None
<RequireAny>
Require valid-user
Require env cdn
</RequireAny>
<Files "healthcheckfile.html">
Allow from all
Satisfy any
</Files>
To summarize I need to have a password protection on the website with .htaccess but I also need cloudfront to go through without disable the whole protection.
Do you have any ideas?
PS: I have done new tests (it works on localhost with MAMP), I have also deleted the behaviours of my CloudFront and test the solution of Amit but nothing change, the prompt doesn't show up.

Ok I've found a solution.
Go to your Cloudfront behaviors and add the next ones where the webauth hit:
Accept-Language
Accept-Encoding
Authorization
Solution thanks to https://medium.com/#omkar.sonawane/amazon-cloudfront-http-request-headers-authorization-header-22393c624da9

Related

how to deny access to a directory in .htaccess

I am trying to deny access to my pdfs directory so others cannot access the pdf files in that dir by trying something like www.example.com/pdfdir/test.pdf
Here is my .htaccess:
AuthType Basic
AuthName "Administrator"
AuthUserFile /home3/nimabida/public_html/power-plant/src/.htpasswd
Require valid-user
its ok for denying other request but now the problem is i cant show these files in my website and it require user/password there too! how can i show them without login?
You can't reliably block access to a directory if you want to be able to link directly to these files on your site and have them available to your users.
The "best" you can do is to check the Referer HTTP request header to make sure the user is following a link on your site and not typing the URL directly (ie. no Referer) or following a link from a 3rd party site. (But note that this is unreliable - see below.)
For example, in the /pdfdir/.htaccess file:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com/
RewriteRule ^ - [F]
Where example.com is your site's domain. This blocks any request that does not originate from your site. (Commonly referred to as "hotlink" protection.)
However, this is unreliable. A determined user can easily fake the Referer header to gain access to these files and some legitimate users may not send the Referer header so will be blocked.
The only way to reliably block unauthorised access is to use some kind of authorisation (username/password). But in this case, the files would ideally be stored outside of the document root and served to the client by your script once the user has been authenticated.

Excluse specific IPs from Website with .htaccess restriction

I want to grant public access to a hosted Website (nginx) and exclude a specific IP-Address range (123.456) from accessing it.
To say it simple: Every access from the IP-Range 123.456 should be restricted by promting for Username/Password. Thats what I want to have.
Here my .htaccess.
AuthType Basic
AuthName "Go away!"
AuthUserFile /home/www/path-to-my/.htpasswd
Require valid-user
Order Allow,Deny
Allow from all
Deny from 123.456
Satisfy any
What I get when I am using it:
Public access successful
Access from the excluded IP-Range = Timeout
As fas as I know .htaccess files are only for apache web server and not nginx.
Yo'll need to convert the rules with a converter or do it yourself.
In your case:
# nginx configuration
auth_basic "Go away!";
auth_basic_user_file /home/www/path-to-my/.htpasswd;
deny 123.456;
satisfy any;
The configuration directives are quite similar, but they are different.

htaccess for download directory

I have a folder where I want to keep some downloadable items, but I don't want people to be able to navigate directly to that url. I set up htaccess so that it is password protected which works fine. The problem is I want a user to be able to click a download link and download an item from that folder without having to enter a password. Whats the best way to secure the folder while still allowing downloads from it?
Thanks for your answer, but unfortunately I couldn't get it to work, it would still restrict the download links.
I did find this answer which solved the problem: Htaccess access/download
I had to use
<FilesMatch "\.(.+)$">
Order allow,deny
Allow from all
Satisfy any
</FilesMatch>
This is little tricky. Let's assume your download folder is names as DocumentRoot/downloads
You can use this code in your /downloads/.htaccess:
SetEnvIfNoCase Request_URI "/downloads/.+$" ALLOWED
AuthType Basic
AuthName "Protected Area"
AuthUserFile /Ful/Path/To/passwords
Require valid-user
Order deny,allow
Deny from all
Allow from env=ALLOWED
Satisfy any
This will allow unrestricted access to any file inside /downloads/ folder.
This will show basic auth popup when user enters http://domain.com/downloads/

Htaccess/Htpasswd AutoType Basic Doesn't Work in Chrome

Okay, so I'm protecting a webpage with a basic .htaccess/.htpasswd combination.
My .htaccess file looks something like this:
DirectoryIndex index.php
AuthUserFile HOMEDIRECTORY/.htpasswd
AuthName "Restricted Area"
AuthType Basic
require valid-user
Everything works fine under Firefox, but Chrome gives this message. I've tested this on multiple computers.
Authorization Required
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Any idea where Chrome is going wrong?
If you are using a frame redirection between different domains Chrome will not show the login prompt. Use an HTTP 302 or 301 redirection instead.

How secure is htaccess authentication

I need to protect a clients CMS with a username and password, only one username is needed. I was going to use htaccess because its so quick to add.
I'll be adding it using the password directories feature in WHM which stores the passwords here:
AuthUserFile "/home/username/.htpasswds/public_html/cms/passwd"
How secure is this? Are there ways to get into folders such as .htpasswds?
Straight from Apache's documentation
The most common method is Basic, and this is the method implemented by mod_auth_basic. It is important to be aware, however, that Basic authentication sends the password from the client to the server unencrypted. This method should therefore not be used for highly sensitive data, unless accompanied by mod_ssl. Apache supports one other authentication method: AuthType Digest. This method is implemented by mod_auth_digest and is much more secure. Most recent browsers support Digest authentication.
Please read the rest HERE
Please read the comments, things have changed since 2011. Good catch #reve_etrange
You should deny access to the folder that contains passwd files
<Directory /home/*>
Order allow,deny
Deny from all
Satisfy all
</Directory>
also don't forget that http traffic can be captured, so it won't suit for financial transactions.
As long as you set up the proper restrictions in your httpd.conf file to block external requests for .htaccess, and .htpasswd you should be okay.
You can block external requests (in Apache) with the following directives:
# The following code hides .htaccess and .htpasswd files from sites visitors.
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>

Resources