AuthUserFile in htaccess can be url? - .htaccess

i have this htaccess :
AuthType Basic
AuthName " Vip User Only
AuthBasicProvider file
AuthUserFile c:\inetpub\htpasswd
Require valid-user
<FilesMatch ".(jpg|gif|png|tiff|jpeg|html)$">
Allow from any
Satisfy any
</FilesMatch>
i want to remotely read htpasswd from another server ?
e.g : this htpasswd is in Server A and i want too use htaccess in Server B with Server A's htpasswd !
is this possible ?

See the documentation of AuthUserFile
File-path is the path to the user file.
There's no mention of URI anywhere. To the contrary, it advises (rightly!) to make the file inaccessible from the web
Security
Make sure that the AuthUserFile is stored outside the document tree of the web-server. Do not put it in the directory that it protects. Otherwise, clients may be able to download the AuthUserFile.
Otherwise anybody could download the file, and crack all your passwords.

Related

Symfony2 simple .htaccess password protect for dev purpose

I would like to use a .htaccess file to protect my symfony2 website while developing it.
I added the following line at the beginning of my .htaccess located in /web and a .htpasswd file just next with my password.
AuthName "Développement"
AuthType Basic
AuthUserFile ".htpasswd"
Require valid-user
I have a Error 500 when I try to access my website. Is it possible to use a htaccess in my case ? What should I use if it is not posible ?
Assuming the 500 error is caused by these directives, the most likely reason is the path to .htpasswd. AuthUserFile says
The AuthUserFile directive sets the name of a textual file containing the list of users and passwords for user authentication. File-path is the path to the user file. If it is not absolute, it is treated as relative to the ServerRoot.
So either use an absolute path (e.g. /var/www/.htpasswd) or add the complete path starting from your document root (e.g. web/.htpasswd).
Also note the last section in AuthUserFile
Security
Make sure that the AuthUserFile is stored outside the document tree of the web-server. Do not put it in the directory that it protects. Otherwise, clients may be able to download the AuthUserFile.
This means, store the auth file somewhere else, like /etc/apache2/htpasswd.

.htaccess/.htpasswd Protection for file doesn't work

I have a problem for which I have not yet found any solution.
I want to make a file a accessible via .htaccess/.htpasswd. So I created this file and put it into a subfolder at my we bapplication:
AuthType Basic
AuthName "Username"
AuthUserFile /var/www/.htpasswd
require valid-user
The access protection for the subfolder works, but not for the file in this.
I'm looking forward for any hint or help.
Thx!

How to exclude term in .htaccess file using FilesMatch?

So I've been trying to set up a more specific .htaccess file for a few hours now and I just don't understand what's going on.
Setup: several php files for operation, we can simplify it to 'index.php' and 'open.php' and 'upload.php'; then there are uploaded files, we don't know their names nor how many there will ever be.
What I want: There's two different users. Let's call them 'cUser' and 'oUser'. cUser is allowed to access any file. oUser is only allowed to access open.php and the uploaded files.
What I did: Here's my .htaccess file:
AuthType Basic
AuthName "Download"
AuthUserFile /[...]/.htusers
followed by
<FilesMatch "[^(open\.php)]$">
Require user cUser
</FilesMatch>
or
<FilesMatch "!(open\.php)">
Require user cUser
</FilesMatch>
and many other different attempts. I expected to require cUser for any file other than oUser with what I did and wanted to go from there, but I never got it to work. What am I doing wrong? As soon as I added a '!' whereever no file needed authentification anymore and with the [^] expression it went wild and some files where accessible while others weren't, by no pattern that I would recognize. So how do I do a 'NOT' in a FilesMatch?
The easiest way to do this is to add a new subdirectory for the uploaded files. This is the best way to handle uploaded files anyway, instead of loading them in the same directory as the php files. Now there's a htaccess file in the main directory:
AuthType Basic
AuthName "Download"
AuthUserFile /[...]/.htusers
Require user cUser
<FilesMatch "open.php">
Require user cUser oUser
</FilesMatch>
and a second htaccess file in the directory for the uploads:
AuthType Basic
AuthName "Download"
AuthUserFile /[...]/.htusers
Require user cUser oUser

problem protecting a directory using .htaccess

I have created a .htaccess and .htpasswd files, and stored them in the folder I want to protect and when I navigated to that folder, I was asked for the username and passowrd (stored in the .htpasswd file) after entering the username and password, I got a 500 Internal server error. I have used the files on both localhost (windows) and on a web server (linux I guess) both gave the same result mentioned.
this is my .htaccess file:
<Files ~ "^\.(htaccess|htpasswd)$">
deny from all
</Files>
AuthUserFile /.htpasswd
AuthGroupFile /dev/null
AuthName "Please enter your ID and password"
AuthType Basic
require valid-user
order deny,allow
I doubt that your .htpasswd file is really located at the very root of the server's filesystem along with /bin, /usr, /home, and others (rather than inside the part of the filesystem served to web browsers).
According to Apache documentation (1, 2), AuthUserFile expects a file path (as if you were in ServerRoot, usually /usr/apache or similar, and trying to locate the file from the Unix shell). It cannot be a URL, either absolute or relative. Correct your .htpasswd file path accordingly.
Note that if possible, you shouldn't put the .htpasswd file inside a public_html or htdocs folder, because any configuration error could not only allow unauthorized access to the files you want to protect but also the authorized usernames and hashed passwords.
Use an absolute hosting path, eg:
/home/content/14/5267714/html/.htpasswd

How to remove .htaccess password protection from a subdirectory

I have password protected my entire website using .htaccess but I would like to expose one of the sub directories so that it can be viewed without a password.
How can I disable htaccess password protection for a sub directory? Specifically what is the .htaccess syntax.
Here is my .htaccess file that is placed in the root of my ftp.
AuthName "Site Administratrion"
AuthUserFile /dir/.htpasswd
AuthGroupFile /dev/null
AuthName secure
AuthType Basic
require user username1
order allow,deny
allow from all
You need to create a new .htaccess file in the required directory and include the Satisfy any directive in it like so, for up to Apache 2.3:
# allows any user to see this directory
Satisfy Any
The syntax changed in Apache 2.4, this has the same effect:
Require all granted
Adding to RageZ's answer, I used this in the Server Directives:
<Directory /var/www/protected/>
AuthType Basic
AuthName "Production"
AuthUserFile /path/to/.htpasswd
Require valid-user
</Directory>
<Directory /var/www/protected/unprotected>
Satisfy Any
</Directory>
Awesome. Thanks RageZ!
Simply create a new .htaccess in the desired subdirectory with this directive:
Allow from all
You can restrict to your IP only with :
Allow from x.x.x.x
See : http://httpd.apache.org/docs/current/mod/mod_access_compat.html
Here is a way to allow subdirectory "foo" through the basic authentication from the main .htaccess file on a site:
AuthType Basic
AuthName "Password Required"
AuthUserFile /dir/.htpasswd
Require expr %{REQUEST_URI} =~ m#^/foo/#
Require valid-user
Note: This works in Apache 2.4. I have not confirmed for earlier versions.
You need to add another .htaccess file to the subdirectory that overrides the authentication. .htaccess cascades upwards, i.e. it will look in the current folder, then go up a level and so on.
If you want to prevent any specific directoty from htaccess authentication then you can use following code in your htaccess file at top.
AuthType Basic
AuthName "Enter Pass"
AuthUserFile /home/public_html/.htpasswd /*PATH TO YOUR .htpasswd FILE*/
Require valid-user
SetEnvIf Request_URI "(/DIRECTORY_NAME/)$" allow
Order allow,deny
Allow from env=allow
Also If you want to prevent multiple directories then
add
SetEnvIf Request_URI "(/DIRECTORY_NAME/)$" allow
as many time as many directories, you want to remove from htaccess prevention.

Resources