How to exclude term in .htaccess file using FilesMatch? - .htaccess

So I've been trying to set up a more specific .htaccess file for a few hours now and I just don't understand what's going on.
Setup: several php files for operation, we can simplify it to 'index.php' and 'open.php' and 'upload.php'; then there are uploaded files, we don't know their names nor how many there will ever be.
What I want: There's two different users. Let's call them 'cUser' and 'oUser'. cUser is allowed to access any file. oUser is only allowed to access open.php and the uploaded files.
What I did: Here's my .htaccess file:
AuthType Basic
AuthName "Download"
AuthUserFile /[...]/.htusers
followed by
<FilesMatch "[^(open\.php)]$">
Require user cUser
</FilesMatch>
or
<FilesMatch "!(open\.php)">
Require user cUser
</FilesMatch>
and many other different attempts. I expected to require cUser for any file other than oUser with what I did and wanted to go from there, but I never got it to work. What am I doing wrong? As soon as I added a '!' whereever no file needed authentification anymore and with the [^] expression it went wild and some files where accessible while others weren't, by no pattern that I would recognize. So how do I do a 'NOT' in a FilesMatch?

The easiest way to do this is to add a new subdirectory for the uploaded files. This is the best way to handle uploaded files anyway, instead of loading them in the same directory as the php files. Now there's a htaccess file in the main directory:
AuthType Basic
AuthName "Download"
AuthUserFile /[...]/.htusers
Require user cUser
<FilesMatch "open.php">
Require user cUser oUser
</FilesMatch>
and a second htaccess file in the directory for the uploads:
AuthType Basic
AuthName "Download"
AuthUserFile /[...]/.htusers
Require user cUser oUser

Related

Add basic auth (htpasswd) on the "index of" view but not on individual files

I have set up an FTP connection via ShareX to upload my screenshots to my own ftp.
So my screenshots are accessible at the url 'screenshots.mydomain.fr/myscreenshothash.png'.
And that's cool!
But according to the url 'screenshots.mydomain.fr' you can see the list of all my screenshots (the page Index of). And I'd like to block this page via an htpasswd without blocking access to the files ('screenshots.mydomain.fr/myscreenshothash.png')
What can I do?
My current .htaccess
AuthUserFile /home/XXL /.htpasswd
AuthGroupFile /dev/null
AuthName "Accès Restreint"
AuthType Basic
require valid-user
For the moment I have added a
Options -Indexes
in my htaccess to prevent access to the index of page and I made a listing of my files in a index.php files placed in a subfolder (in which I put the htaccess with htpasswd)

AuthUserFile in htaccess can be url?

i have this htaccess :
AuthType Basic
AuthName " Vip User Only
AuthBasicProvider file
AuthUserFile c:\inetpub\htpasswd
Require valid-user
<FilesMatch ".(jpg|gif|png|tiff|jpeg|html)$">
Allow from any
Satisfy any
</FilesMatch>
i want to remotely read htpasswd from another server ?
e.g : this htpasswd is in Server A and i want too use htaccess in Server B with Server A's htpasswd !
is this possible ?
See the documentation of AuthUserFile
File-path is the path to the user file.
There's no mention of URI anywhere. To the contrary, it advises (rightly!) to make the file inaccessible from the web
Security
Make sure that the AuthUserFile is stored outside the document tree of the web-server. Do not put it in the directory that it protects. Otherwise, clients may be able to download the AuthUserFile.
Otherwise anybody could download the file, and crack all your passwords.

Modify access to .htaccess to restrict directories based on user auth

Currently I have .htaccess to require user auth in order to proceed.
I'm trying to find a solution to restrict users from navigating to other /directory/ than the one assigned to their username (haven't figured out how to do it, yet).
AuthType Basic
AuthName "Welcome!"
AuthUserFile /home/public_html/.htpasswd
Require valid-user
Order Deny,Allow
Deny from all
Allow from xxx.xxx.xxx.xxx
Satisfy Any
<FilesMatch "^.(htaccess|htpasswd)$">
Order Allow,Deny
Deny from all
</FilesMatch>
Any ideas?
Thank you!
you can simply do like : create a .htaccess file
AuthName "Username and password required"
AuthUserFile /home/path/.htpasswd
AuthType Basic
Require valid-user
Order Allow,Deny
Deny from all
Allow from X.X.X.X/16
Satisfy Any
if you have multiple file of .htpasswd then you can give multiple entry in .htaccess file like
AuthUserFile /home/will/.htpasswd
AuthUserFile /home/jone/.htpasswd
or
create .htaccess file and put in directory that you want to allow . if you want to allow multiple directory then copy that .htaccess file in all directory . if you want deferent user can access different directory then edit .htaccess file of that particular directory . i think it will work for you . for more info here

.htaccess - Password in one folder, excepting all sub-folders

I have a folder named "adminhide", wich is inside the folder "forum" and which should be password protected. In the folder "adminhide", I have more than 50 sub-folders and all those sub-folders should not be password protected.
The .htaccess file should be placed in the folder "adminhide", or in the folder "forum".
Example:
forum/adminhide: protected
forum/adminhide/js: unprotected
forum/adminhide/js/something: unprotected
forum/adminhide/images: unprotected
forum/adminhide/something: unprotected
Here is what I have now:
AuthType Basic
AuthName "admin"
AuthUserFile "/home/xgclanco/.htpasswds/public_html/xg-clan.pt/forum/adminhide/passwd"
require valid-user
You could do this by placing a .htaccess file in the subdirectories that you want to exclude with the "Allow from all" directive.
.htaccess works down from the current directory, so if you included .htaccess in a subdirectory containing:
Allow from all
You will get the desired result.
You could also achieve this by specifying just the individual files you would like to protect in the adminhide folder by doing this in your htaccess file:
AuthUserFile "/home/xgclanco/.htpasswds/public_html/xg-clan.pt/forum/adminhide/passwd"
AuthName "admin"
AuthType Basic
<Files "index.php">
require valid-user
</Files>
All subfolders below the one you put your .htaccess-file in are automaticly protected. I think there is no way to change that.
So you either have to change your folder structure or put the stuff you want to pretect somewhere else.

problem protecting a directory using .htaccess

I have created a .htaccess and .htpasswd files, and stored them in the folder I want to protect and when I navigated to that folder, I was asked for the username and passowrd (stored in the .htpasswd file) after entering the username and password, I got a 500 Internal server error. I have used the files on both localhost (windows) and on a web server (linux I guess) both gave the same result mentioned.
this is my .htaccess file:
<Files ~ "^\.(htaccess|htpasswd)$">
deny from all
</Files>
AuthUserFile /.htpasswd
AuthGroupFile /dev/null
AuthName "Please enter your ID and password"
AuthType Basic
require valid-user
order deny,allow
I doubt that your .htpasswd file is really located at the very root of the server's filesystem along with /bin, /usr, /home, and others (rather than inside the part of the filesystem served to web browsers).
According to Apache documentation (1, 2), AuthUserFile expects a file path (as if you were in ServerRoot, usually /usr/apache or similar, and trying to locate the file from the Unix shell). It cannot be a URL, either absolute or relative. Correct your .htpasswd file path accordingly.
Note that if possible, you shouldn't put the .htpasswd file inside a public_html or htdocs folder, because any configuration error could not only allow unauthorized access to the files you want to protect but also the authorized usernames and hashed passwords.
Use an absolute hosting path, eg:
/home/content/14/5267714/html/.htpasswd

Resources