I have a single site, which I want to protect. It's /phpinfo on the website.
There are several redirects. My apache file looks like this:
RewriteEngine On
... A list of RewriteRules
RewriteRule ^(phpinfo)$ index.php?controller=$1
index.php takes controller as an argument and includes the specific site that is viewed.
I use basic authentication like this on several places already, which works fine:
AuthUserFile /var/www/....../.htpasswd
AuthGroupFile /dev/null
AuthName "Protected content"
AuthType Basic
<Limit GET>
require valid-user
</Limit>
But, the question is how can I limit this basic authentication to /phpinfo on the server, so only this site is protected? Ideally the AuthUserFile points to a relative directory so I can deploy this on the live server without needing to change this path.
A solution using PHP and not htaccess. It's simple yet effective.
if (!isset($_SERVER['PHP_AUTH_USER']) || $_SERVER['PHP_AUTH_USER'] != Config::AdminUser || $_SERVER['PHP_AUTH_PW'] != Config::AdminPassword)
{
header('WWW-Authenticate: Basic realm="Protected content"');
header('HTTP/1.0 401 Unauthorized');
die('Protected content');
}
Related
I have set up an FTP connection via ShareX to upload my screenshots to my own ftp.
So my screenshots are accessible at the url 'screenshots.mydomain.fr/myscreenshothash.png'.
And that's cool!
But according to the url 'screenshots.mydomain.fr' you can see the list of all my screenshots (the page Index of). And I'd like to block this page via an htpasswd without blocking access to the files ('screenshots.mydomain.fr/myscreenshothash.png')
What can I do?
My current .htaccess
AuthUserFile /home/XXL /.htpasswd
AuthGroupFile /dev/null
AuthName "Accès Restreint"
AuthType Basic
require valid-user
For the moment I have added a
Options -Indexes
in my htaccess to prevent access to the index of page and I made a listing of my files in a index.php files placed in a subfolder (in which I put the htaccess with htpasswd)
I am using AuthType Basic to restrict access to a test environment. There's nothing sensitive there -it's just to keep spiders away.
I'd like to test a Webhook and to do so I need to expose a single page.
The start of my .htaccess follows:
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /var/www/some_domain_dot_com/public_html/.htpasswd
AuthGroupFile /dev/null
require valid-user
It is after this that the RewriteRules are in place so I don't think I can redirect for this specific page request.
How to I tell .htaccess not to request authentication for a single page only?
I have a problem with my htaccess protection. First lets have a look at the sourcecode. This is the htaccess. Note: I don´t have a htaccess in the parent folder, so there is no protection from a parent element.
AuthType Basic
AuthName "Login"
AuthUserFile /fullPath/protection/.htpasswd
AuthGroupFile /fullPath/protection/.htgroup
require user devju
<Limit GET>
require valid-user
</Limit>
Ok, so this is the htpasswd in the protection directory:
devju:anfxCAFkVCb9E
and this is the htgroup (but it is irrelevant to the example):
superadmin: devju
Ok the problem is that sometimes, and currently permanent, the auth-dialog doesn´t appear and the client will redirected to the ErrorDocument 401. So why is that so? Do I have a wrong configuration or something else? I didn´t changed anything in the settings.
Note: Currently I don´t have enough points to comment, so I can´t answer to questions :(
Try
AuthType Basic
AuthName "Login"
AuthUserFile /fullPath/protection/.htpasswd
require valid-user
I have a domain, mattpotts.com and have set up a sub-domain dev.mattpotts.com for me to develop on and will then copy the files to the normal domain when they're ready to go.
My directory structure is as follows and dev.mattpotts.com points to dev/
+-public_html/
+-project1/
+-project2/
+-project3/
+-dev/
+-project1
+-project2
+-project3
I basically want to be able to go from http://mattpotts.com/project1 to https://dev.mattpotts.com/project1 by adding dev..
I have the following .htaccess in dev/ and it works, all this needs to do is force https.
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} dev
RewriteRule ^(.*)$ https://dev.mattpotts.com$1 [R,L]
I want to force https so that I can securely use http auth on the directory. However, when I combine it with the following rules, it doesn't work. I have my .htpasswd set up but I've not even had the login form show up yet.
AuthType Basic
AuthName "Dev Protected Area"
AuthUserFile .htpasswd
Require valid-user
How can I successfully combine the to set of .htaccess rules?
Edit, very strange things are happening!
https://dev.mattpotts.com/project1/ displays 'hello!' from non dev version of site (note https)
http://dev.mattpotts.com/project1/ displays 'hello dev!' (as desired) from dev version. What's going on here?!
You've told us where your .htaccess file is, but you haven't told us where your .htpasswd file is. According to the Apache documentation on AuthUserFile:
Syntax: AuthUserFile file-path
File-path is the path to the user
file. If it is not absolute (i.e., if
it doesn't begin with a slash), it is
treated as relative to the ServerRoot.
So in other words, it is looking for the .htpasswd in somewhere like /etc/apache2/.htpasswd. So either move your .htpasswd file there, or make your directive contain an absolute path to the file, e.g.:
AuthType Basic
AuthName "Dev Protected Area"
AuthUserFile /home/mattpots.com/public_html/dev/.htpasswd
Require valid-user
However, for security reasons, I highly recommend keeping your .htpasswd file outside of your document root.
These issues should be independent of each other: do I understand correctly that the "force HTTPS" part works?
That said, AuthUserFile .htpasswd may be looking for .htpasswd in the wrong place. The easiest fix is to put the full path and name there, e.g. AuthUserFile /home/matt/www/public_html/dev/.htpasswd (or wherever you have the dev directory).
I have password protected my entire website using .htaccess but I would like to expose one of the sub directories so that it can be viewed without a password.
How can I disable htaccess password protection for a sub directory? Specifically what is the .htaccess syntax.
Here is my .htaccess file that is placed in the root of my ftp.
AuthName "Site Administratrion"
AuthUserFile /dir/.htpasswd
AuthGroupFile /dev/null
AuthName secure
AuthType Basic
require user username1
order allow,deny
allow from all
You need to create a new .htaccess file in the required directory and include the Satisfy any directive in it like so, for up to Apache 2.3:
# allows any user to see this directory
Satisfy Any
The syntax changed in Apache 2.4, this has the same effect:
Require all granted
Adding to RageZ's answer, I used this in the Server Directives:
<Directory /var/www/protected/>
AuthType Basic
AuthName "Production"
AuthUserFile /path/to/.htpasswd
Require valid-user
</Directory>
<Directory /var/www/protected/unprotected>
Satisfy Any
</Directory>
Awesome. Thanks RageZ!
Simply create a new .htaccess in the desired subdirectory with this directive:
Allow from all
You can restrict to your IP only with :
Allow from x.x.x.x
See : http://httpd.apache.org/docs/current/mod/mod_access_compat.html
Here is a way to allow subdirectory "foo" through the basic authentication from the main .htaccess file on a site:
AuthType Basic
AuthName "Password Required"
AuthUserFile /dir/.htpasswd
Require expr %{REQUEST_URI} =~ m#^/foo/#
Require valid-user
Note: This works in Apache 2.4. I have not confirmed for earlier versions.
You need to add another .htaccess file to the subdirectory that overrides the authentication. .htaccess cascades upwards, i.e. it will look in the current folder, then go up a level and so on.
If you want to prevent any specific directoty from htaccess authentication then you can use following code in your htaccess file at top.
AuthType Basic
AuthName "Enter Pass"
AuthUserFile /home/public_html/.htpasswd /*PATH TO YOUR .htpasswd FILE*/
Require valid-user
SetEnvIf Request_URI "(/DIRECTORY_NAME/)$" allow
Order allow,deny
Allow from env=allow
Also If you want to prevent multiple directories then
add
SetEnvIf Request_URI "(/DIRECTORY_NAME/)$" allow
as many time as many directories, you want to remove from htaccess prevention.