I'm working on providing a simple username/password gate for a client's website. I'm using a simple combo of htaccess and htpasswd files to accomplish this.
For right now, I'm only using dummy names and passwords, so, I feel comfortable posting those here.
Login 1: sean
PW 1: CreAgent
Login 2: sally
PW 2: pass
PWs were encrypted using this site (www.htaccesstools.com/htpasswd-generator/).
As you can see, it all works fine at this location.
Here is the code in the .htaccess file at that location:
AuthName "Employees Only"
AuthType Basic
AuthUserFile /home/content/n/i/n/nintemple1/html/login/.htpasswd
require valid-user
And here is the htpasswd file...
sean:[encrypted password - not sure if I should post this!]
sally:[encrypted password - not sure if I should post this!]
Now, that webspace above is my own. So, then I tried to set things up on the client's space. As you can see from that link, it just keeps treating the login as incorrect (offering new attempts) until you hit cancel and then it returns a 401 error. Everything is identical except that I changed the path to the new htpasswd file. So, the new htaccess file is like so...
AuthName "AIM Employees Only"
AuthType Basic
AuthUserFile /home/aimcilco/public_html/JAL/.htpasswd
require valid-user
I know it's possible that the client's space might be configured differently. But, the space where their files are hosted does not have a phone # to contact with questions and I posted on their forum weeks ago with no reply. So, I can't just ask the people who run the server. I do see other htaccess files in their space though, so, I imagine things are at least somewhat configured to handle htaccess.
I will admit that I am out of my depth here. I felt confident setting this up (since I got it working on my own space), but, I don't know enough about how these things work to properly trouble shoot this issue. =\
Thanks in advance and let me know if there is any more info you need from me to best solve this problem!
Related
I am trying to secure a website with an .htaccess file with Apache2. It works well but the message specified with the AuthName line is not visible on Chrome (but it is visible on Firefox !). What should I do to make it visible on Chrome?
Here is my .htaccess file
AuthType Basic
AuthName "Restricted Access"
AuthFile "/etc/apache2/.htpasswd"
Require valid-user
On Firefox the pop-up tells
The site ... is requesting your username and password. The site says: "Restricted Access"
But on Chrome it only tells
Sign in
What should I do to make it visible on Chrome?
There is nothing you can do.
The browser decides whether it wants to display this information to the user in some way, or not.
The phrasing used in the Apache documentation already hints at that (highlights by me) -
https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authname:
The string provided for the AuthName is what will appear in the password dialog provided by most browsers.
https://httpd.apache.org/docs/2.4/howto/auth.html#gettingitworking:
The AuthName directive sets the Realm to be used in the authentication. The realm serves two major functions. First, the client often presents this information to the user as part of the password dialog box. Second, it is used by the client to determine what password to send for a given authenticated area.
Here is a workaround which can give some info for your unlucky visitor, using custom error document feature after the login attempt fails:
Put this line into your .htaccess file:
ErrorDocument 401 YYYY-MM-DDTHHMM-Site-update-under-way-Estimate-30-min
The continuous text seems to get displayed after login fails or is canceled. No dots (.) or colons (:) allowed. Of course it should represent a valid filename, but if the user has no access to public_html due to login fail a file maybe can't be served anyway. If You can serve a proper 401 error page, You can explain the situation there.
(edit 1) Maybe this behaviour is a curiosity in my case with shared hosting. The shared server there seems to be nginx which I guess "is forced" to accept .htaccess directives.
(edit 2) Confirmed this behaviour also with Apache 2.4 server
A friend wants me to implement basic file security on his site that he can look after himself.
I think the simplest option is to put a .htaccess file into the folder he wants to protect and that will redirect all requests to a php file in the root.
The php file will then check if the user is logged in and serve the file or request a fixed shared login password.
It's going ok so far except for two problems.
Firstly I can't get the htaccess file work based on the directory it is located in - I can only manage it by hard coding the directory into the htaccess file.
Secondly, I can get the php file to know the url of the file that was requested.
Any help and pointers would be great!
It sounds like what you are wanting to do can be done a little more easily with an .htpasswd setup.
You will just place this in an .htaccess of the directory you are trying to protect and all of the sub-directories will be protected as well.
AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /path/to/.htpasswd
Require valid-user
And then create an .htpasswd file and use a tool like this to generate the credentials.
Alternatively, the way you are suggesting to do it will require the use of either cookies or sessions and here is another question that should help a bit more with setting that up.
I use a free shared php web server for my site. my site's url end was p.ht and for some issues it changed to w.pw
In order to make my site working properly again, by using Notepad++ I used "Find in Files" subwindow which is in ctrl+F popup window. I replaced each occurence of p.ht with w.pw.
My site then started to work properly again with no problem in terms of viewing.
however after this change, after a while I needed to logon my custom admin page (approve comments, articles etc)
I created it with .htaccess with main commands below:
AuthUserFile /home/u999999999/public_html/.htpasswd
AuthName "Log In"
AuthType Basic
Require valid-user
RewriteEngine On
RewriteBase /adminfolder/
just before URLs changed, everything was working on my site properly, I was able to login to my admin account from my firm computer. But know despite the same password and username I can't logon. I changed the password, uploaded new file but again I couldn't logon.
What can be the problem?
my firm firewall, security politics update etc?
A changed php server property in free shared web server?
A ctrl+Replace mistake somehow?
I also entered the password by keyboard and by copy-paste.
Can you please guide me for my situation. Where should I look, what new action can I try in order to detect my failure mode?
best regards
i have a website that need to be unavailable for public.
I cannot test my website locally because lot of contents are depend on databases and images.
At present i am using .htaccess to deny all the people,bots and allow my ip address to use the site. What happens i have a dial-up ADSL modem and my ISP connection is frequently disconnecting. So i need to change the allowed IP address in htaccess frequently.This is terrible.
Is there any other way to overcome this situation. I saw an article to make the site password protected. is it okay or what should i do to overcome this terrible scenario.
Thanks
Yes, password protecting is fine. Follow this guide: http://httpd.apache.org/docs/2.2/howto/auth.html
You need to create an htpasswd file, essentially the file that holds your username and password. If you don't have shell access on your hosting plan, you can go to an online generator and create the file locally and upload it to your hosting site (don't put it in your document root).
Then add this to your htaccess file:
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /usr/local/apache/passwd/passwords
Require valid-user
You can also whitelist IPs like you did before but you need to add this line:
Satisfy Any
So that your Allow from 123.45.67.89 lines is sufficient and don't need to log in from that IP.
i am an Apache Illiterate person, and i need very simple password protection for a directory using a .htaccess file. very simple one.
i also wonder how tutorials simply tells me "put the .htpasswd file in the path.." i tried to create a .htpasswd file but failed to do that. if someone volunteers to help please keep in mind i use win server 2008 and please consider that my experience in Apache is almost zero.
Use this to generate your htpasswd file: http://www.htaccesstools.com/htpasswd-generator/
You should get a hash back from that and just place that in your htpasswd file. I very strongly suggest that you do not put your htpasswd file in your document root. It would make it accessible via apache.
Edit for clarification:
For example, your apache webserver serves this directory: C:\www\htdocs, and you want to protect this directory with username and password: C:\www\htdocs\secure. You create this .htaccess file and put it in your C:\www\htdocs\secure directory:
AuthType BASIC
# You can choose whatever name you want here
AuthName "Protected"
AuthUserFile C:\www\htpasswd
Require valid-user
You see the C:\www\htpasswd? You need to create that file. Go to that htpasswd-generator link above. Enter a username, enter a password, click on "Create .htpasswd file", the page will give you a text field with your username and a bunch of gibberish. Copy that whole thing and create the file C:\www\htpasswd and paste that into the file.
That's it.
Not sure how much simpler it can get.