My .htaccess currently contains this:
AuthUserFile /var/www/vhosts/mydomain.co.uk/httpdocs/.htpasswd
AuthName "Password Protected"
AuthType Basic
<Files "reports">
Require valid-user
</Files>
This password protects the "reports" page.
The credentials are stored in a .htpasswd file.
I now want to password protect the "admin" directory too.
I want a different username/password for this.
How do I password protect a directory? Also, how do I create a seperate username/password?
You could try using:
Require user <username>
Instead of:
Require valid-user
This will make it only accessible if you login with the name admin and it's apropiate password.
Sources: http://httpd.apache.org/docs/current/howto/auth.html#gettingitwr
Related
I have followed the procedure to the letter and it does not work for me.
The procedure: Create file .htaccess which has the following lines of text.
AuthType Basic
AuthName "restricted area"
AuthUserFile "C:/Apache24/htdocs/protected/.htpasswd"
require valid-user
Next create file .htpasswd which has a username and encrypted password created by http://www.htaccesstools.com/htpasswd-generator/
Next I insert both .ht files into the folder named protected, which is in the folder htdocs.
When I type in the browser address window http://localhost/protected/ and hit enter I get Index of protected and the list of files in it. It never asks for username or password.
See summary above.
AuthType Basic
AuthName "restricted area"
AuthUserFile "C:/Apache24/htdocs/protected/.htpasswd"
require valid-user
i have this htaccess :
AuthType Basic
AuthName " Vip User Only
AuthBasicProvider file
AuthUserFile c:\inetpub\htpasswd
Require valid-user
<FilesMatch ".(jpg|gif|png|tiff|jpeg|html)$">
Allow from any
Satisfy any
</FilesMatch>
i want to remotely read htpasswd from another server ?
e.g : this htpasswd is in Server A and i want too use htaccess in Server B with Server A's htpasswd !
is this possible ?
See the documentation of AuthUserFile
File-path is the path to the user file.
There's no mention of URI anywhere. To the contrary, it advises (rightly!) to make the file inaccessible from the web
Security
Make sure that the AuthUserFile is stored outside the document tree of the web-server. Do not put it in the directory that it protects. Otherwise, clients may be able to download the AuthUserFile.
Otherwise anybody could download the file, and crack all your passwords.
I want to deny all request to the server except some ip's , but those ip's should show the auth dialog. What I have tried is
order deny,allow
deny from all
allow from xxx.xxx.xx.xxx
allow from xxx.xxx.xx.xxx
AuthUserFile /path/to/.htpasswd
AuthType Basic
AuthName "Login Required"
Require valid-user
It works fine , but after user login it showing Internal server error(500). Any idea ?
This usually happens when there's something wrong with the AuthUserFile parameter. You can put any random path in your AuthUserFile and apache will be willing to go along with the 401 require auth part just fine. But when it needs to verify the authorization given to it (in your case, via a BASIC mechanism) it needs to actually check the contents of the file, /path/to/.htpasswd. Make sure that you have the correct path to this file and that it contains actual htpasswd data, generated using the htpasswd command or something equivalent.
This is working fine ;-)
order deny,allow
deny from all
deny from all
allow from xx.xx.xx.xx
AuthUserFile /path/to/.htpasswd
AuthType Basic
AuthName "Login Required"
Require valid-user
I've this .htaccess to protect a subdomain.
AuthType Basic
AuthUserFile /home/xxx/dev.xxx.com/.htpasswd
AuthName "Dev"
require valid-user
How can I exclude only one file from this protection.
Then this file could be accesible without password protection
You can do this with a Satisfy Any and a special Allow that lets certain requests through without a password check. So in your htaccess file:
SetEnvIf Request_URI ^/protected-dir/no_protect_file.php norequire_auth=true
# Auth stuff
AuthUserFile /home/xxx/dev.xxx.com/.htpasswd
AuthName "Dev"
AuthType Basic
# Setup a deny/allow
Order Deny,Allow
# Deny from everyone
Deny from all
# except if either of these are satisfied
Satisfy any
# 1. a valid authenticated user
Require valid-user
# or 2. the "require_auth" var is NOT set
Allow from env=norequire_auth
If a request is made for http://your.domain.com/protected-dir/no_protect_file.php, the SetEnvIf matches and the norequire_auth environment variable is set. The auth part checks for it to allow it to pass through without requiring a password.
You could create a new directory outside the password protected one and create a symlink to the file you want to be unprotected and distribute the URL to the non-protected library instead of the protected one.
I push my website to multiple servers where I have different usernames. I want to have a .htaccess file that password protects a file regardless of which server I'm on.
The issue is that AuthUserFile only takes absolute paths, so if I have:
AuthUserFile /home/will/.htpasswd
I get a server error on a box where my username is wjholcomb (and home directory is /home/wjholcomb/).
.htaccess can have multiple AuthUserFile lines:
AuthUserFile /home/will/.htpasswd
AuthUserFile /home/wjholcomb/.htpasswd