Allow access to website only from a specific URL - .htaccess

I have got a client who I did a great website for a year or so ago however he has just sold his business and as part of the deal he wants me to take the website down. He has however agreed to allow me to use the website on my portfolio so I essentially want to be able to block all entries except from entries from my domain name, is this possible? I was thinking the best solution will be .htaccess but I am not the best at .htaccess so any advise would be awesome.

Something like this should work. Put it in the directory that requires the denial.
I would suggest an alternative method though; perhaps moving the site to your own server.
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName OnlyFromUNO
<Limit GET>
order deny,allow
deny from all
allow from .domain.com
</Limit>

Related

htaccess for download directory

I have a folder where I want to keep some downloadable items, but I don't want people to be able to navigate directly to that url. I set up htaccess so that it is password protected which works fine. The problem is I want a user to be able to click a download link and download an item from that folder without having to enter a password. Whats the best way to secure the folder while still allowing downloads from it?
Thanks for your answer, but unfortunately I couldn't get it to work, it would still restrict the download links.
I did find this answer which solved the problem: Htaccess access/download
I had to use
<FilesMatch "\.(.+)$">
Order allow,deny
Allow from all
Satisfy any
</FilesMatch>
This is little tricky. Let's assume your download folder is names as DocumentRoot/downloads
You can use this code in your /downloads/.htaccess:
SetEnvIfNoCase Request_URI "/downloads/.+$" ALLOWED
AuthType Basic
AuthName "Protected Area"
AuthUserFile /Ful/Path/To/passwords
Require valid-user
Order deny,allow
Deny from all
Allow from env=ALLOWED
Satisfy any
This will allow unrestricted access to any file inside /downloads/ folder.
This will show basic auth popup when user enters http://domain.com/downloads/

Using "Allow From" in the .htaccess file - what IP to enter?

this is my htaccess file:
AuthType Basic
AuthName “Sorry, Restricted Area!”
AuthUserFile /path/to/your/.htpasswd
Require valid-user
Allow from 123.45.67.890
Satisfy Any
My question is about the Allow from line ... the IP I give here is the callers IP, isnt it? This htaccess file is on my server which has 123.45.67.890 as IP, but as soon as I activate this htaccess, I can call the website it protects from anywhere, not just from the server itself, which is the plan. I call it like this: http://123.45.67.890/website ... question is, why can I call it from any computer even though it has the IP restriction? The site should onlybe called from the server itself.
Thanks :)
Because you need to deny from all first:
order deny,allow
deny from all
allow from 888.888.888.888

.htaccess incoming request: relative vs absolute rule

I'm working in a password protected directory. "Quicktime" + "Safari" + "AuthType Basic" are doing there best to challenge me (and winning). I've managed to implement a solution via htaccess but I would like to improve the security.
I now have a secure folder with basically public .mov files inside.
I've implemented:
AuthUserFile /var/www/ht/.htpasswdblabla
AuthName Protected
AuthType Basic
require valid-user
Options +FollowSymlinks
RewriteEngine on
<FilesMatch mov>
Satisfy any
order allow,deny
allow from all
</FilesMatch>
What I would like to do is only "satisfy any..." based on a relative request and "require valid-user" for any fully qualified/absolute request. This would allow the pages quictime/video object to access the files freely, but anyone linking to the file would need a password.
../movie.mov (would satisfy...)
movie.mov (would satisfy...)
http://basedomain.com/protected_folder/movie.mov (require valid-user)
Any help or a point in the right direction would be greatly appreciated.
Help me Obi Wan Kenobi, you're my only hope.
If I understand your question correctly, this is not possible. It is possible to write relative links into your code, but the browser is always making an absolute request so it is not possible for Apache to differentiate a relative link from any other.
You might look into allow/deny based on the request referrer. I am not sure how reliable that is, and it could be easily spoofed...but it might prevent casual attempts.
Problem is similar to trying to prevent others from deep-linking your images. There are different strategies, but often more trouble than they are worth.

How secure is htaccess authentication

I need to protect a clients CMS with a username and password, only one username is needed. I was going to use htaccess because its so quick to add.
I'll be adding it using the password directories feature in WHM which stores the passwords here:
AuthUserFile "/home/username/.htpasswds/public_html/cms/passwd"
How secure is this? Are there ways to get into folders such as .htpasswds?
Straight from Apache's documentation
The most common method is Basic, and this is the method implemented by mod_auth_basic. It is important to be aware, however, that Basic authentication sends the password from the client to the server unencrypted. This method should therefore not be used for highly sensitive data, unless accompanied by mod_ssl. Apache supports one other authentication method: AuthType Digest. This method is implemented by mod_auth_digest and is much more secure. Most recent browsers support Digest authentication.
Please read the rest HERE
Please read the comments, things have changed since 2011. Good catch #reve_etrange
You should deny access to the folder that contains passwd files
<Directory /home/*>
Order allow,deny
Deny from all
Satisfy all
</Directory>
also don't forget that http traffic can be captured, so it won't suit for financial transactions.
As long as you set up the proper restrictions in your httpd.conf file to block external requests for .htaccess, and .htpasswd you should be okay.
You can block external requests (in Apache) with the following directives:
# The following code hides .htaccess and .htpasswd files from sites visitors.
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>

How do I redirect users that are not on my ip to a page rather than just an apache error page?

I want to take my website down for an hour while I make changes and I have used
order Deny,Allow
Deny from all
Allow from my.ip.add.ress
How do I redirect users that are not on my ip to a page rather than just given an bog standard apache error page? I want something prettier.
You can add this to your .htaccess:
ErrorDocument 403 /misc/403page.html
Then create a file called 403page.html in /misc (or whatever) and you're good to go. Make sure that /misc is outside of the document root for the site in question.
[EDIT AllowOverride will need to be set to FileInfo for this to work]

Resources