A htaccess protected subdirectory of my website somehow has been indexed (months ago) by google. I had to add this directory to robots.txt but I don't want the protected url to be visible in robots.txt anymore.
I switched this directory to a new name and it won't probably be indexed again as it's not referenced anywhere but... just in case, I would like to add a noindex to it.
I added to my subdirectory .htaccess
Header set X-Robots-Tag "noindex"
It's working fine when I disable htaccess protection (I get the noindex header response). As soon as I add the protection
AuthType basic
AuthName "Restricted Area"
AuthUserFile /path/to/.htpassword
Require user admin
and simulate an error by hitting cancel on the authentication window, I get a 401 error and no "noindex" header.
Should I find a way to add a noindex on the 401 error page or is there an other way to manage that?
Related
I have a very strange problem with password protection in a subdomain. I use a subdomain test.example.com, and in order to avoid duplicate content issues, and to keep the test site private, I have added these lines on top in .htaccess for this test site to prompt users:
AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /home/httpd/mydomain/test.example.com/.htpasswd
Require valid-user
This authentication solution has worked for years, but now suddenly when accessing the main domain example.com, the user is prompted with a dialog that demands authentication. The message is that test.example.com demands authentication. So the password protection in the test site affects the main domain site.
To grant access for all users to the main site again, I have commented out the relevant lines in .htaccess for the test site.
To be clear I should also mention that I am not talking about a redirection to the test site. When accessing the main site, this is also where the user ends up. But the password prompt still refers to the test site.
On the server no changes has been made to the vhosts in a long time.
So how can the password protection in the .htaccess file in the test site affect the main domain site? Seems impossible to me. But yet this is what happens.
The site is built with Drupal 7 and is updated to the latest version. The only change in recent time is a Drupal update (7.82).
I am trying to deny access to my pdfs directory so others cannot access the pdf files in that dir by trying something like www.example.com/pdfdir/test.pdf
Here is my .htaccess:
AuthType Basic
AuthName "Administrator"
AuthUserFile /home3/nimabida/public_html/power-plant/src/.htpasswd
Require valid-user
its ok for denying other request but now the problem is i cant show these files in my website and it require user/password there too! how can i show them without login?
You can't reliably block access to a directory if you want to be able to link directly to these files on your site and have them available to your users.
The "best" you can do is to check the Referer HTTP request header to make sure the user is following a link on your site and not typing the URL directly (ie. no Referer) or following a link from a 3rd party site. (But note that this is unreliable - see below.)
For example, in the /pdfdir/.htaccess file:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com/
RewriteRule ^ - [F]
Where example.com is your site's domain. This blocks any request that does not originate from your site. (Commonly referred to as "hotlink" protection.)
However, this is unreliable. A determined user can easily fake the Referer header to gain access to these files and some legitimate users may not send the Referer header so will be blocked.
The only way to reliably block unauthorised access is to use some kind of authorisation (username/password). But in this case, the files would ideally be stored outside of the document root and served to the client by your script once the user has been authenticated.
I am trying to secure a website with an .htaccess file with Apache2. It works well but the message specified with the AuthName line is not visible on Chrome (but it is visible on Firefox !). What should I do to make it visible on Chrome?
Here is my .htaccess file
AuthType Basic
AuthName "Restricted Access"
AuthFile "/etc/apache2/.htpasswd"
Require valid-user
On Firefox the pop-up tells
The site ... is requesting your username and password. The site says: "Restricted Access"
But on Chrome it only tells
Sign in
What should I do to make it visible on Chrome?
There is nothing you can do.
The browser decides whether it wants to display this information to the user in some way, or not.
The phrasing used in the Apache documentation already hints at that (highlights by me) -
https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authname:
The string provided for the AuthName is what will appear in the password dialog provided by most browsers.
https://httpd.apache.org/docs/2.4/howto/auth.html#gettingitworking:
The AuthName directive sets the Realm to be used in the authentication. The realm serves two major functions. First, the client often presents this information to the user as part of the password dialog box. Second, it is used by the client to determine what password to send for a given authenticated area.
Here is a workaround which can give some info for your unlucky visitor, using custom error document feature after the login attempt fails:
Put this line into your .htaccess file:
ErrorDocument 401 YYYY-MM-DDTHHMM-Site-update-under-way-Estimate-30-min
The continuous text seems to get displayed after login fails or is canceled. No dots (.) or colons (:) allowed. Of course it should represent a valid filename, but if the user has no access to public_html due to login fail a file maybe can't be served anyway. If You can serve a proper 401 error page, You can explain the situation there.
(edit 1) Maybe this behaviour is a curiosity in my case with shared hosting. The shared server there seems to be nginx which I guess "is forced" to accept .htaccess directives.
(edit 2) Confirmed this behaviour also with Apache 2.4 server
I'm trying to password protect a webpage, say index.html that's located at mysite.com/mysubfolder/index.html. How I've done this, is I've placed both a .htaccess and a .htpasswd file in the directory public_html/mysubfolder/, with .htacess containing the following:
AuthName "Secure Area"
AuthType Basic
AuthUserFile /public_html/mysubfolder/.htpasswd
Require valid-user
Now, when I type in www.mysite.com/mysubfolder into the address bar, I get the prompt to type in the user name and password, which I do, with the credentials that generated my .htpasswd file. But when I do, an empty page shows up - no error or warning, just a white page. I have other folders inside this directory, and for them too nothing shows up, when I try to access them directly through the address bar. When I click View Page Source, all I see is
<!-- SHTML Wrapper - 500 Server Error -->
I have no idea what to do now. I want everyone who types in that webpage or clicks through a link to it (mysite.com/mysubfolder/index.html or mysite.com/mysubfolder)to have to type in the specific credentials I have chosen. Am I doing something wrong? Maybe there is a better way? Thanks in advance.
Okay, so I'm protecting a webpage with a basic .htaccess/.htpasswd combination.
My .htaccess file looks something like this:
DirectoryIndex index.php
AuthUserFile HOMEDIRECTORY/.htpasswd
AuthName "Restricted Area"
AuthType Basic
require valid-user
Everything works fine under Firefox, but Chrome gives this message. I've tested this on multiple computers.
Authorization Required
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Any idea where Chrome is going wrong?
If you are using a frame redirection between different domains Chrome will not show the login prompt. Use an HTTP 302 or 301 redirection instead.