Is it possible to make htpasswd usernames and passwords non case sensitive ?
Is the achievable either by some setting in htpasswd / htacess or via the hashing algorithm (we are currently using MD5) ?
Add below but making password non case sensitive is opening a security hole in application.
CheckSpelling on
to your .htaccess file
of course after enabling the RewriteEngine
so the final code will be
RewriteEngine on
CheckSpelling on
I guess it is the best and safest way.
dont forget to change
AllowOverride none
to
AllowOverride All
inside your httpd.conf file, to allow .htaccess files to work correctly.
Related
I want to set different htpasswd for different pages in my website. How can i do that?
Set different htpasswd for different pages in site...
Like example.com/about and example.com/portfolio should have different passwords.
If each page has its own directory, then you can just create a .htaccess page for each one.
However, if they're all on the root, then you might be able to achieve this using an if directive
So for example:
<if "%{HTTP_HOST} == 'example.com/about'">
....
</if>
Then place your authentication code inside the if directive. You could do this for each directory you want to use a different password on.
In my yii project i have Changelog and Licence text files. I know about RBAC and applied it on every Controller but how can i prevent any guest user to view these text files. As till now anyone can view this.
I have used this in my htaccess file
<Files ~ "(.txt)">
Order allow, deny
Deny from all
</Files>
But this is worked for txt file and these files have no extension
You can block access to all the files without extension using this rule in your site root .htaccess or Apache config/vhost file:
RewriteEngine On
# If the request is for a valid file
RewriteCond %{REQUEST_FILENAME} -f
# if there is no extension then block
RewriteRule ^[^.]+$ - [F]
You question is a little board, and so the answer is a little general. but there are a couple approaches;
option 1. remove the Changelog and Licence files? if these are yii install changelog and licence then they dont need to be left on the server. just ensure you complying with the licence requirements.
option 2.
you mentioned "guest user" which htaccess is not going to integrate well with yii for authorized users. you could move the files into a folder with a .htaccess containing a single line Deny from all. this blocks everyone except the PHP executed on your server.
you can now create a method/action in a controller which just echos the file contents. file-get-contents or readfile. wrap this your authentication so only non-guest users are able to use the method.
if there are only two static files, then maybe just an 'action' for each. if its many files that are changing names etc, then you accept an id to the controller pass to a model that uses scandir and checks the file really exists and spits out your output to view.
option 2.1
instead of folder with a .htaccess you could also move the files to the parent of the webhost base dir if you have this access. this means that your webserver can not serve the file, but the php can still reach it with local paths.
option 3
in .htaccess you can use AuthType basic and will invoke your webserver to prompt the user for username and password as configured in the .htaccess. this is problematic as the interface is not user friendly and is very difficult to integrate with your webapps user db.
option 4
.htaccess can support other AuthTypes but option 2 becomes much easier at this point.
I'm working in a password protected directory. "Quicktime" + "Safari" + "AuthType Basic" are doing there best to challenge me (and winning). I've managed to implement a solution via htaccess but I would like to improve the security.
I now have a secure folder with basically public .mov files inside.
I've implemented:
AuthUserFile /var/www/ht/.htpasswdblabla
AuthName Protected
AuthType Basic
require valid-user
Options +FollowSymlinks
RewriteEngine on
<FilesMatch mov>
Satisfy any
order allow,deny
allow from all
</FilesMatch>
What I would like to do is only "satisfy any..." based on a relative request and "require valid-user" for any fully qualified/absolute request. This would allow the pages quictime/video object to access the files freely, but anyone linking to the file would need a password.
../movie.mov (would satisfy...)
movie.mov (would satisfy...)
http://basedomain.com/protected_folder/movie.mov (require valid-user)
Any help or a point in the right direction would be greatly appreciated.
Help me Obi Wan Kenobi, you're my only hope.
If I understand your question correctly, this is not possible. It is possible to write relative links into your code, but the browser is always making an absolute request so it is not possible for Apache to differentiate a relative link from any other.
You might look into allow/deny based on the request referrer. I am not sure how reliable that is, and it could be easily spoofed...but it might prevent casual attempts.
Problem is similar to trying to prevent others from deep-linking your images. There are different strategies, but often more trouble than they are worth.
I need to password protect a couple of entries on a site. It is easy to do at the template level but this is at the entry level. I am running Expression Engine.
I tried setting up an htaccess file but it is not yet effective.
It is like this:
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /home/server/.htpasswds/.htpasswd
AuthGroupFile /dev/null
<Files template_group/entry_name>
require valid-user
</Files>
Where template_group is the name of the actual template_group and entry_name is the actual name of the entry.
Any assistance will be appreciated.
Thanks.
While ExpressionEngine provides its own means for Template Access Restriction to password-protect pages and templates — including handling .htaccess Apache Basic HTTP Authentication — there are situations where you might not want to, or are unable, to use it:
For example, the Freelancer Version of ExpressionEngine doesn't include the Member Management Module, so the Template Preferences Manager doesn't offer Access Restrictions.
Also, if you elect to use ExpressionEngine's HTTP Authentication, only users with member accounts [in ExpressionEngine] will be able to login, since EE uses its local member database for authentication.
If you're the DIY type, you can modify your httpd.conf to limit and password-protect access to ExpressionEngine pages, entries and templates.
This technique works by:
Editing Apache's httpd.conf
Creating .htpasswd or .htgroup files
Specifying the URL(s) to Protect
Note: Since we are attempting to match objects at the URL level and not the physical filesystem, we must use a <Location> or <LocationMatch> directive1.
Put the following in your server's httpd.conf or vhost.conf file:
<LocationMatch "^/private">
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /path/to/website/.htpasswd
AuthGroupFile /dev/null
Require valid-user
</LocationMatch>
Be sure to change the values of the directive to your liking and your hosting environment.
If you haven't already, create the .htpasswd password file to encrypt the desired passwords, either using the command line or an Online .htaccess Password Generator:
htpasswd -c /path/to/website/.htpasswd username
If the htpasswd command is not in your Unix path, you'll have to type the full path to the file to get it to run. On my server, it would be:
/usr/sbin/htpasswd -c /path/to/website/.htpasswd username
Then, htpasswd will ask you for the user's password, and ask you to type it again to confirm:
# htpasswd -c /path/to/website/.htpasswd username
New password: changeme
Re-type new password: changeme
Adding password for user username
With everything in place and working, any request to /private* will be handled by Apache before it's routed to ExpressionEngine.
Voilà — Apache password-protected directories working in harmony with ExpressionEngine (or any CMS really, such as WordPress, MovableType or TextPattern).
The context of the <Location> directive specifies that it can only be used in server config and virtual host configuration files. This means we can't put the rules in a .htaccess file, otherwise Apache will throw a 500 Internal Server Error with the description "Location not allowed here".
If you are attempting to match objects at the URL level, you must use <Location>
If you are attempting to match objects at the filesystem level, you must use <Directory> and/or <Files>
I answered two similar questions on this subject that may be of benefit to you.
Nevertheless, there are several ways to password-protect pages in an ExpressionEngine site:
Template Preferences Manager
Conditional Global Variables
Third-Party Add-Ons
By far the easiest solution to your situation is to use the built-in Template Preferences Manager in the ExpressionEngine Control Panel and assign the "private" entries to a template that requires authentication.
A third-party add-on such as Entry Access by Yuri Salimovskiy of IntoEEtive may aide in your benefit. Entry Access enables you to restrict front-end access to certain channel entries for certain members or member group.
I need to protect a clients CMS with a username and password, only one username is needed. I was going to use htaccess because its so quick to add.
I'll be adding it using the password directories feature in WHM which stores the passwords here:
AuthUserFile "/home/username/.htpasswds/public_html/cms/passwd"
How secure is this? Are there ways to get into folders such as .htpasswds?
Straight from Apache's documentation
The most common method is Basic, and this is the method implemented by mod_auth_basic. It is important to be aware, however, that Basic authentication sends the password from the client to the server unencrypted. This method should therefore not be used for highly sensitive data, unless accompanied by mod_ssl. Apache supports one other authentication method: AuthType Digest. This method is implemented by mod_auth_digest and is much more secure. Most recent browsers support Digest authentication.
Please read the rest HERE
Please read the comments, things have changed since 2011. Good catch #reve_etrange
You should deny access to the folder that contains passwd files
<Directory /home/*>
Order allow,deny
Deny from all
Satisfy all
</Directory>
also don't forget that http traffic can be captured, so it won't suit for financial transactions.
As long as you set up the proper restrictions in your httpd.conf file to block external requests for .htaccess, and .htpasswd you should be okay.
You can block external requests (in Apache) with the following directives:
# The following code hides .htaccess and .htpasswd files from sites visitors.
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>