We have a webpage which is protected by our SSO. However, we also have a mobile app where the user will be authenticated and we want to launch a page on our website without them having to login.
The SSO is engaged via htaccess in a directive - I want to be able to conditionally enable this rule.
I don't have much experience with htaccess but I am aware of an If directive which I believe we could wrap around the Files directive and inspect the query string of the incoming request - if the query string contains a token - allow access, otherwise enable SSO - this is so that visitors from the web will still have to sign in through SSO.
I can't seem to get the syntax right for the If though, and just get 500s. I have tried...
<If "%{REQUEST_URI} =~ ?referrer=ilancaster ">
<Files "index.html">
AuthType SSOModule
SSOModule On
</Files>
</If>
This works nicely - enables SSO for web visitors, skips it if you pass a token
<Files "index.html">
<If "%{QUERY_STRING} =~ /^((?!token).)*$/">
AuthType SSOModule
SSOModule On
Require group <group>
</If>
</Files>
Related
I am trying to deny access to my pdfs directory so others cannot access the pdf files in that dir by trying something like www.example.com/pdfdir/test.pdf
Here is my .htaccess:
AuthType Basic
AuthName "Administrator"
AuthUserFile /home3/nimabida/public_html/power-plant/src/.htpasswd
Require valid-user
its ok for denying other request but now the problem is i cant show these files in my website and it require user/password there too! how can i show them without login?
You can't reliably block access to a directory if you want to be able to link directly to these files on your site and have them available to your users.
The "best" you can do is to check the Referer HTTP request header to make sure the user is following a link on your site and not typing the URL directly (ie. no Referer) or following a link from a 3rd party site. (But note that this is unreliable - see below.)
For example, in the /pdfdir/.htaccess file:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com/
RewriteRule ^ - [F]
Where example.com is your site's domain. This blocks any request that does not originate from your site. (Commonly referred to as "hotlink" protection.)
However, this is unreliable. A determined user can easily fake the Referer header to gain access to these files and some legitimate users may not send the Referer header so will be blocked.
The only way to reliably block unauthorised access is to use some kind of authorisation (username/password). But in this case, the files would ideally be stored outside of the document root and served to the client by your script once the user has been authenticated.
I'm testing Amazon Cloudfront on a dev environment which is protected by .htaccess/.htpasswd.
The password protection on the dev server is causing all of the cloudfront.net assets to be password protected as well. And no username/password combination works (the poppin just keep asking for password again and again).
I cannot remove the password protection.
I have see this other topic Amazon Cloudfront and .htaccess with the same request.
When I add this code to mine, the password protection is not displayed.
My .htaccess file:
SetEnvIf User-Agent ^Amazon Cloudfront$ cdn
ErrorDocument 401 default
AuthName "ACCESS"
AuthUserFile /var/www/html/folder/.htpasswd
AuthType Basic
AuthGroupFile None
<RequireAny>
Require valid-user
Require env cdn
</RequireAny>
<Files "healthcheckfile.html">
Allow from all
Satisfy any
</Files>
To summarize I need to have a password protection on the website with .htaccess but I also need cloudfront to go through without disable the whole protection.
Do you have any ideas?
PS: I have done new tests (it works on localhost with MAMP), I have also deleted the behaviours of my CloudFront and test the solution of Amit but nothing change, the prompt doesn't show up.
Ok I've found a solution.
Go to your Cloudfront behaviors and add the next ones where the webauth hit:
Accept-Language
Accept-Encoding
Authorization
Solution thanks to https://medium.com/#omkar.sonawane/amazon-cloudfront-http-request-headers-authorization-header-22393c624da9
I have a subdomain that uses file_get_contents in php, and I need that to access an otherwise restricted file. In my .htaccess I have
<Files "file.txt">
Order Allow,Deny
Allow from subdomain.site.com
Deny from all
</Files>
The main problem I have here is that it doesn't unblock access from subdomain.site.com. I can't access the subdomain via url path because of site isolation set in place by my hosting provider.
The tutorial I have found says that you can whitelist certain websites to access this file. But, for some reason even following their syntax, it for some reason won't whitelist that site.
Tutorial:
https://www.askapache.com/htaccess/#developing_sites
I want to grant public access to a hosted Website (nginx) and exclude a specific IP-Address range (123.456) from accessing it.
To say it simple: Every access from the IP-Range 123.456 should be restricted by promting for Username/Password. Thats what I want to have.
Here my .htaccess.
AuthType Basic
AuthName "Go away!"
AuthUserFile /home/www/path-to-my/.htpasswd
Require valid-user
Order Allow,Deny
Allow from all
Deny from 123.456
Satisfy any
What I get when I am using it:
Public access successful
Access from the excluded IP-Range = Timeout
As fas as I know .htaccess files are only for apache web server and not nginx.
Yo'll need to convert the rules with a converter or do it yourself.
In your case:
# nginx configuration
auth_basic "Go away!";
auth_basic_user_file /home/www/path-to-my/.htpasswd;
deny 123.456;
satisfy any;
The configuration directives are quite similar, but they are different.
I need to protect a clients CMS with a username and password, only one username is needed. I was going to use htaccess because its so quick to add.
I'll be adding it using the password directories feature in WHM which stores the passwords here:
AuthUserFile "/home/username/.htpasswds/public_html/cms/passwd"
How secure is this? Are there ways to get into folders such as .htpasswds?
Straight from Apache's documentation
The most common method is Basic, and this is the method implemented by mod_auth_basic. It is important to be aware, however, that Basic authentication sends the password from the client to the server unencrypted. This method should therefore not be used for highly sensitive data, unless accompanied by mod_ssl. Apache supports one other authentication method: AuthType Digest. This method is implemented by mod_auth_digest and is much more secure. Most recent browsers support Digest authentication.
Please read the rest HERE
Please read the comments, things have changed since 2011. Good catch #reve_etrange
You should deny access to the folder that contains passwd files
<Directory /home/*>
Order allow,deny
Deny from all
Satisfy all
</Directory>
also don't forget that http traffic can be captured, so it won't suit for financial transactions.
As long as you set up the proper restrictions in your httpd.conf file to block external requests for .htaccess, and .htpasswd you should be okay.
You can block external requests (in Apache) with the following directives:
# The following code hides .htaccess and .htpasswd files from sites visitors.
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>