I have an instance running on EC2 that I want to password protect.
my .htaccess file;
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} ^http$
RewriteCond %{REQUEST_URI} !^/healthcheck\.html$
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
AuthName "Restricted"
AuthUserFile /var/www/html/mydirectory/.htpasswd
Require valid-user
<Files "my_healthcheck_file.php">
Allow from all
Satisfy any
</Files>
.htpasswd is username:password for just now. As I am running ELB I have allowed all connections to my healthcheck file so the instance will be healthy and not blocked by password. I've needed to open this connection otherwise it returns 503 error.
I believe my problem lies with the AuthUserFile. however I have tried both /var/www/html/mydirectory/.htpasswd and the absolute path: /var/app/current/mydirectory/.htpasswd & both return error 500.
unsure what I am doing wrong, I have even checked the path is correct by doing:
<?php
$dir = dirname(__FILE__);
echo "<p>Full path to this dir: " . $dir . "</p>";
echo "<p>Full path to a .htpasswd file in this dir: " . $dir . "/.htpasswd" . "</p>";
?>
Any suggestions is much appreciated! Thanks!
Related
I have a site where subdirectories are generated automatically, and need to be indexable under .htaccess
However, I don't want someone to be able to go to the root of these subdirectories and to view them all. I also don't want anything other than these subdirectories to be indexable.
E.g.
/ ~ Has "Options -Indexes" (Non-Indexable)
/foo/ ~ Has "Options -Indexes" (Non-Indexable)
/foo/bar/ ~ Has "Options +Indexes" (Indexable)
/foo/baz/ ~ Has "Options +Indexes" (Indexable)
It's not possible for me to generate an individual .htaccess file for every subdirectory individually, the system I'm using doesn't support it.
I'm assuming there's no other way to solve this problem (without possibly using the Apache config), so I'm just allowing the index recursively (i.e. from /foo), then inside /foo 's .htaccess file:
Options +Indexes
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/foo[/]?$
RewriteRule (.*) / [R=301,L]
To just redirect people to the homepage. Also put a meta refresh redirect in there just incase.
I have rewritten a PHP file's URL as:
RewriteRule ^psu/(.*)/(.*)/(.*)/(.*) _psu.php?id=$1&mb=$2&cpu=$3&name=$4 [L]
This makes the page _psu.php accessible only as:
psu/path/path/path/path
Any other URLs like:
psu/path/path/path/
psu/path/path/
psu/path/
psu
gives 404 Not Found Error.
How can I rewrite the URL - psu/path/path/path/path keeping the above URL accessible?
Try this:
RewriteEngine On
RewriteBase /
RewriteRule ^psu(?:/([^/]*)(?:/([^/]*)(?:/([^/]*)(?:/([^/]*)/?)?)?)?)?$ _psu.php?id=$1&mb=$2&cpu=$3&name=$4 [L]
In _psu.php
<?
$id = $_GET["id"];
$mb = $_GET["mb"];
$cpu = $_GET["cpu"];
$name = $_GET["name"];
echo "id: $id<br>
mb: $mb<br>
cpu: $cpu<br>
name: $name";
?>
Check Accessible URLs:
/psu/1/2/3/4
/psu/1/2/3
/psu/1/2
/psu/1
/psu
Satisfies all mentioned retirements.
To handle dynamic length path after psu use this rule in site root .htaccess:
AcceptPathInfo on
RewriteEngine On
RewriteRule ^psu(/.*)?$ _psu.php$1 [L,NC]
In inside php code of _psu.php use:
$_SERVER["PATH_INFO"]
to get path info. You can split it by / to get list of path components.
You can use:
RewriteRule ^psu(?:/([^/]*)(?:/([^/]*)(?:/([^/]*)(?:/([^/]*)/?)?)?)?)?$ _psu.php?id=$1&mb=$2&cpu=$3&name=$4 [L]
TL;DR: My URL rewriting breaks if a subdirectory without a file is requested. Instead of loading a default home page as expected, I'm getting a 403 Forbidden error.
I'm using Apache URL rewriting to build a site using the Front Controller pattern. So far, my .htaccess looks like this:
Options -Indexes
RewriteCond %{REQUEST_URI} ^/(subdir|subdir/.*|subdir2|subdir2/.*).*$
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+) index.php?request=$1 [QSA]
So this is working for all requests except requests for subdirectories:
mydomain.com/ results in ->
mydomain.com/index.php with home.inc content
mydomain.com/page1 results in ->
mydomain.com/index.php with /pages/page1.inc content
mydomain.com/subdir/ results in ->
403 Forbidden
mydomain.com/subdir/page1 results in ->
mydomain.com/index.php with /subdir/pages/page1.inc content
More details below that probably don't matter, since the issue is likely in the .htaccess.
In index.php, I'm catching the request and using that to grab the corresponding include page from a directory /pages which has files with the content of each page. Here's the (somewhat simplified) code from index.php:
//grab the actual HTTP request
$request = $_GET['request'];
//if the request has slashes, isolate the directory part into $dir
$slashPos = strrpos($request, "/");
if($slashPos !== false){
$dir = substr($request, 0, $slashPos) . "/";
$page = basename($request, ".inc");
} else {
$dir = "";
$page = request;
}
//use "home" if no filename is specified.
if($page==""){$page="home";}
//build path to content include
$content = $dir . "pages/" . $page . ".inc";
//output page
require("header.php");
require($content );
require("footer.php");
This works perfect for the root directory. A request for mydomain.com/page1 results in mydomain.com/index.php being served with the contents of mydomain.com/pages/page1 included.
It also works for pages within a subdirectory: a request for mydomain.com/subdir/page1 results in mydomain.com/index.php being served with the contents of mydomain.com/subdir/pages/page1 included.
It all breaks when the request is for an actual directory. So mydomain.com/subdir/ returns 403 Forbidden. Why is it doing that? I expect it to load $dir with subdir and $page with home (I set as a default for when $page=="").
Yes, Options -Indexes is probably causing the 403, but why only on subdirectories? It doesn't 403 on root. And the line RewriteCond %{REQUEST_URI} ^/(subdir|subdir/.*|subdir2|subdir2/.*).*$ in .htaccess should catch it, right?
Ok, I figured it out. The problem is that subdir wasn't actually at web root. My entire site is actually working in its own subdirectory. In other words, I wasn't working in
mydomain.com/
as the root, I was working in
mydomain.com/mydivision/
as a root. So obviously in this line:
RewriteCond %{REQUEST_URI} ^/(subdir|subdir/.*|subdir2|subdir2/.*).*$
the ^ made it look for subdir at the actual webroot. To fix I removed ^ or add my actual subdomain to that line after ^.
OK first off thanks for your time I wish I could give more than one point for this question.
Problem: I have some music files on my site (.mp3) and I am using a php file to increment a database to count the number of downloads and to point to the file to download. For some reason this method starts at 350kb/s then slowly drops to 5kb/s which then the file says it will take 11hrs to complete. BUT if I go directly to the .mp3 file my browser brings up a player and then I can right click and "save as" which works fine complete download in 3mins. (Yes both during the same time for those that are thinking it's my connection or ISP and its not my server either.)
So the only thing that I've been playing around with recently is the php.ini and the .htcaccess files.
So without further ado, the php file, php.ini, and the .htcaccess:
download.php
<?php
include("config.php");
include("opendb.php");
$filename = 'song_name';
$filedl = $filename . '.mp3';
$query = "UPDATE songs SET song_download=song_download+1 WHERE song_linkname='$filename'";
mysql_query($query);
header('Content-Disposition: attachment; filename='.basename($filedl));
header('Content-type: audio/mp3');
header('Content-Length: ' . filesize($filedl));
readfile('/music/' . $filename . '/' . $filedl);
include("closedb.php");
?>
php.ini
register_globals = off
allow_url_fopen = off
expose_php = Off
max_input_time = 60
variables_order = "EGPCS"
extension_dir = ./
upload_tmp_dir = /tmp
precision = 12
SMTP = relay-hosting.secureserver.net
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fieldset="
; Defines the default timezone used by the date functions
date.timezone = "America/Los_Angeles"
.htaccess
Options +FollowSymLinks
RewriteEngine on
RewriteCond %{HTTP_HOST} !^(www.MindCollar.com)?$ [NC]
RewriteRule (.*) http://www.MindCollar.com/$1 [R=301,L]
<IfModule mod_rewrite.c>
RewriteEngine On
ErrorDocument 404 /errors/404.php
ErrorDocument 403 /errors/403.php
ErrorDocument 500 /errors/500.php
</IfModule>
Options -Indexes
Options +FollowSymlinks
<Files .htaccess>
deny from all
</Files>
thanks for you time
what if you update your database , then redirect user with
header('Location: path_to_MP3');
you have a syntax error:
$query = "UPDATE songs SET song_download=song_download+1 WHER song_linkname='$filename'";
mysql_query($query);
should be
$query = "UPDATE songs SET song_download=song_download+1 WHERE song_linkname='$filename'";
mysql_query($query);
apparently if fails but it is too late for you to see that the error has happened and download begins.
Also, since you are not doing anything with the DB anymore, move this line:
include("closedb.php");
above the headers. It is always safer this way
RewriteEngine On
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !-f
RewriteRule ^(.*)$ index.php?page=$1&%{QUERY_STRING}¶m=%{REQUEST_URI}
use this .htaccess code
Is it possible to protect a single URL through .htaccess? For example I will have website.com/index.php?skin=name. Can I password protect only this url? (with no PHP changes, only .htaccess)
website.com/index.php or website.com/index.php?skin=other_name should not be restricted.
You can rewrite the address to protect it like this:
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/index\.php$
RewriteCond %{QUERY_STRING} ^skin=(name)$
RewriteRule ^(.*)$ /skin/%1 [PT]
<LocationMatch "/skin/name">
AuthType Basic
AuthName "By Invitation Only"
AuthUserFile /path/to/passwords
Require valid-user
</LocationMatch>
You can if you use mod-rewrite to rewrite the address to something else and protect that.
https://serverfault.com/questions/94964/apache-locationmatch-directive
You can't use LocationMatch, even though it would appear that you could.
Your best bet is to do it in PHP. A quick google search later and I found a great way to use PHP_AUTH which looks a lot like the .HTACCESS login prompt
<?php
$login_successful = false;
// check user & pwd:
if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])){
$usr = $_SERVER['PHP_AUTH_USER'];
$pwd = $_SERVER['PHP_AUTH_PW'];
if ($usr == 'jonas' && $pwd == 'secret'){
$login_successful = true;
}
}
// login ok?
if (!$login_successful){
// send 401 headers:
// realm="something" will be shown in the login box
header('WWW-Authenticate: Basic realm="Secret page"');
header('HTTP/1.0 401 Unauthorized');
print "Login failed!\n";
}
else {
// show secret page:
print 'you reached the secret page!';
}
Source: http://snippets.dzone.com/posts/show/2006