A friend wants me to implement basic file security on his site that he can look after himself.
I think the simplest option is to put a .htaccess file into the folder he wants to protect and that will redirect all requests to a php file in the root.
The php file will then check if the user is logged in and serve the file or request a fixed shared login password.
It's going ok so far except for two problems.
Firstly I can't get the htaccess file work based on the directory it is located in - I can only manage it by hard coding the directory into the htaccess file.
Secondly, I can get the php file to know the url of the file that was requested.
Any help and pointers would be great!
It sounds like what you are wanting to do can be done a little more easily with an .htpasswd setup.
You will just place this in an .htaccess of the directory you are trying to protect and all of the sub-directories will be protected as well.
AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /path/to/.htpasswd
Require valid-user
And then create an .htpasswd file and use a tool like this to generate the credentials.
Alternatively, the way you are suggesting to do it will require the use of either cookies or sessions and here is another question that should help a bit more with setting that up.
Related
Hi.I'm new at web, and I want to create a site. I've ordered a domain name and hosting, so now I have access to storage on hosting. What have I to do to protect any folder using htpasswd?
All that I have in http folder is index.html and folder examle, that contains .htaccess and .htpasswd and example2 folder, that should be protected.
When I try to access example2 folder from browser, I get popup window, that asking me for a login and password, and when I enter it I have a 500 internal sever error
Ok, so I have the answer. It's strange that the commentators didn't undertood the error, because as I understood the 500 error has only one meaning - server can't find a file. So, communyty members again talks about everytihng they can intstead that they was asked about-_-(yes, yes, there are a lot of grammar mistakes, but you understood(I hope)).
So here are a few steps for newers, like me, that can help to protect data of your site via `.htpasswd`
Getting the correct file path
Create file in folder you need to be protected, with .php extesion, and name it, how you like. Put this code there, and save it.
<?php
echo 'Полный путь к каталогу: ';
echo $_SERVER['DOCUMENT_ROOT'];
echo '/';
?>
Visit this page via browser, there will be wrote the full path to php document you've created.
Creating .htaccess and .htpasswd files
Go to folder you need to be protected by password and create two files - .htaccess and .htpasswd. You should notice, that these files shouldn't have any extensions, and they must be named exactly with . character in the begining.
Writing to .htaccess
Put there this one
AuthUserFile /path/to/.htpasswd
AuthType Basic
AuthName "My restricted Area"
Require valid-user
Instead of /path/to/ put the path you've got earlier. That's all
Writing to .htpasswd
Go to https://www.web2generators.com/apache-tools/htpasswd-generator and fill there login and password, and it will return you encrypted login:pass combination. Open .htpasswd file and just put it there.
That's all, it should work
I was reading this How secure is .htaccess password protection? and reviewing the fact that one of my sites has the .htpasswd file in a web facing directory.
But, if the permissions on a .htpasswd file are correct (644), can it be accessed at all via a browser or any other means?
I guess the real question is whether or not I should follow the advice and move the .htpasswd to /home/user rather than /home/user/public_html
I would like to fake directory path with .htaccess, but I haven't got much experience with it, so I'm asking you, guys.
Let's say my URL is http://example.com/test and I got some scripts in that folder. I would like to hide the URL, so I wouldn't be able to access by it's real URL, but I could access it with e.g. http://example.com/test2.
I simply would like to hide and fake the directory.
To simply protect the page with a password you can add the following into your .htaccess on the page you want to protect:
AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /path/to/.htpasswd <-- change this to your full path to .htpasswd
Require valid-user
Then create the .htpasswd file, and create user/password combinations. Like this:
test:dGRkPurkuWmW2
Directions can be found on this page:
http://www.htaccesstools.com/articles/password-protection/
Use a password generator like this one to generate an encrypted password:
http://www.htaccesstools.com/htpasswd-generator/
i am an Apache Illiterate person, and i need very simple password protection for a directory using a .htaccess file. very simple one.
i also wonder how tutorials simply tells me "put the .htpasswd file in the path.." i tried to create a .htpasswd file but failed to do that. if someone volunteers to help please keep in mind i use win server 2008 and please consider that my experience in Apache is almost zero.
Use this to generate your htpasswd file: http://www.htaccesstools.com/htpasswd-generator/
You should get a hash back from that and just place that in your htpasswd file. I very strongly suggest that you do not put your htpasswd file in your document root. It would make it accessible via apache.
Edit for clarification:
For example, your apache webserver serves this directory: C:\www\htdocs, and you want to protect this directory with username and password: C:\www\htdocs\secure. You create this .htaccess file and put it in your C:\www\htdocs\secure directory:
AuthType BASIC
# You can choose whatever name you want here
AuthName "Protected"
AuthUserFile C:\www\htpasswd
Require valid-user
You see the C:\www\htpasswd? You need to create that file. Go to that htpasswd-generator link above. Enter a username, enter a password, click on "Create .htpasswd file", the page will give you a text field with your username and a bunch of gibberish. Copy that whole thing and create the file C:\www\htpasswd and paste that into the file.
That's it.
Not sure how much simpler it can get.
Hi
Is there a way to protect a folder and its contents using .htaccess file but only from external access?
Meaning: files inside the server can access the folder but if some one tries to access it directly it prompts for an user and password.
I'm using AuthType Basic already. But when an external file tries to access the image inside the protected folder, there emerges the problem.
To clarify (at least try to), what I have is one folder with many, many images and I don't want them to be accessed but I want my php scripts to have access outside the folder. Like
/index.php
/images/ -> same level of index.php
/admin/photos/ -> index.php can access the files inside this folder without restriction. something like the files has its own user and password.
There's a couple of things you can do but I think you might want to clarify your question. I think what you're asking is how you protect certain files from web access but still allow your scripts (like a PHP script) to be able to access the data.
If that's the case then you simply need to put your data files outside of the DocumentRoot. Apache will only load files that it is allowed to access but PHP, or other scripting languages can access any file anywhere (as long as the user the process executes as has the appropriate permissions)
If you really want user/password access to certain files from the web:
AuthType Basic
AuthName "My super secret folder"
AuthUserFile "/path/to/some/user_file"
require valid-user
That will restrict outside access but will not restrict any access from scripts or people/programs on the server itself.