I want to set different htpasswd for different pages in my website. How can i do that?
Set different htpasswd for different pages in site...
Like example.com/about and example.com/portfolio should have different passwords.
If each page has its own directory, then you can just create a .htaccess page for each one.
However, if they're all on the root, then you might be able to achieve this using an if directive
So for example:
<if "%{HTTP_HOST} == 'example.com/about'">
....
</if>
Then place your authentication code inside the if directive. You could do this for each directory you want to use a different password on.
Related
In my yii project i have Changelog and Licence text files. I know about RBAC and applied it on every Controller but how can i prevent any guest user to view these text files. As till now anyone can view this.
I have used this in my htaccess file
<Files ~ "(.txt)">
Order allow, deny
Deny from all
</Files>
But this is worked for txt file and these files have no extension
You can block access to all the files without extension using this rule in your site root .htaccess or Apache config/vhost file:
RewriteEngine On
# If the request is for a valid file
RewriteCond %{REQUEST_FILENAME} -f
# if there is no extension then block
RewriteRule ^[^.]+$ - [F]
You question is a little board, and so the answer is a little general. but there are a couple approaches;
option 1. remove the Changelog and Licence files? if these are yii install changelog and licence then they dont need to be left on the server. just ensure you complying with the licence requirements.
option 2.
you mentioned "guest user" which htaccess is not going to integrate well with yii for authorized users. you could move the files into a folder with a .htaccess containing a single line Deny from all. this blocks everyone except the PHP executed on your server.
you can now create a method/action in a controller which just echos the file contents. file-get-contents or readfile. wrap this your authentication so only non-guest users are able to use the method.
if there are only two static files, then maybe just an 'action' for each. if its many files that are changing names etc, then you accept an id to the controller pass to a model that uses scandir and checks the file really exists and spits out your output to view.
option 2.1
instead of folder with a .htaccess you could also move the files to the parent of the webhost base dir if you have this access. this means that your webserver can not serve the file, but the php can still reach it with local paths.
option 3
in .htaccess you can use AuthType basic and will invoke your webserver to prompt the user for username and password as configured in the .htaccess. this is problematic as the interface is not user friendly and is very difficult to integrate with your webapps user db.
option 4
.htaccess can support other AuthTypes but option 2 becomes much easier at this point.
I've got an odd redirect request, and I'm not sure if it is possible.
On the server we have a series of PHP files with a name similar to /title-of-the-page-####.php, where #### is an unique integer ID of the page.
I want to be able to redirect users from /#### to the full title of the page (as listed above). Is this possible from within an .htaccess file, and if so, how? (I would like to avoid listing all of the pages from within the .htaccess file)
I have a website example.com with a subdirectory of example.com/admin/, I want to put a .htaccess file in my /admin/ directory so that if I create a link like this Home that it will stay in example.com/admin/ and not go to example.com/.
I know I could just do Home, but want an over all solution where I don't have to do that to all links, encase at a later time I decided to rename the /admin/ directory.
You can not do that with .htaccess. Because it is not on the server that it happens, but in the browser.
But it is possible to redirect some pages, If it is possible to recognize them, for example by name.
You can redirect all admin-xxxx.html pages to admin/admin-xxxx.html
Using Codeigniter I want to make my home.php restricted to only registered users but when I try following
http://127.0.0.1/CodeIgniter_2.1.4/application/views/home.php
I get access to home.php(which is in views).
I thought that CI has some restriction for this type of request but its not.So now how can I solve this.
Should I do this in .htaccess?
OR
I should add php code at the top of home.php which will check for valid session data etc.
http://ellislab.com/codeigniter/user-guide/installation/
For the best security, both the system and any application folders
should be placed above web root so that they are not directly
accessible via a browser. By default, .htaccess files are included in
each folder to help prevent direct access, but it is best to remove
them from public access entirely in case the web server configuration
changes or doesn't abide by the .htaccess.
In your application folder make .htaccess with this:
Deny from all
What are the different approaches to securing a directory?
including an index page so contents can't be viewed
the problem with this is that people can still access the files if they know the filename they're after
including an htaccess file to deny all
this seems to be the best approach, but is there any case that an htaccess file can be passed by? are there any cases as well where htaccess is not available?
restricting folder access
this is also a nice solution, but the problem is, the folder I'm trying to secure should be viewable and writable by the program.
Are there any other ways that folder security can be done?
Best practice for Apache is to use htaccess to restrict - this only restricts from the webserver - but that should be what you need. You can add authentication into this - but for most needs to you can just deny all acess - which hides the directory completely.
Another method that can also work well with using htaccess to deny direct access would be to use htaccess in your route directory to rewrite urls. This means that a request such as /example/listItems/username/ted can be rewritten as a call to a php or other file such as:
/application/index.php?module=listItems&username=ted
The advantage of doing this is that the webserver does not give out paths to any directories so it is much more difficult for people to hack around looking for directories.
If you want to protect a directory of images you could also use htaccess to redirect to a different directory so that /images/image5.png is actually a call to :
/application/images/image5.png
You could also try not placing your protected directory under your www dir but on other "non www visible" location. If your app needs to read / write data, tell it to do it on the other location. Modify its properties so only the app has the proper rights to do so.