HTTP Basic Auth Upon Image View (.htaccess) - .htaccess

I saw this and I'd love to know how to recreate it. Unfortunately, I don't know .htaccess.
Upon viewing an image, there was an HTTP Basic Auth style dialog that asked to enter some sort of authentication (albeit nothing actually submitted anywhere).
I'm sorry for the skid question, but I'd really love some insight as to how this can be done using .htaccess or .htpasswd.
Thanks.

In your apache site conf, add something like:
Alias /image /path/to/img
<Directory "/path/to/img">
AuthType Basic
AuthName "LoginImage"
AuthUserFile /path/to/.htpasswd
Require valid-user
</Directory>
Then, create the .htpasswd file with:
htpasswd -c .htpasswd someusername
and you'll be prompted to create a password.

Related

Ubuntu 16.04 Apache2 only requires password once?

I have a server running, and setup an htaccess file. Everything works and it does require a password to gain access to the folder I set, but once the password is used, it has never required verification again. Seems insecure, so I'm wondering how to require re-entering a password. Like some kind of time-out on the access, but I don't know what to look for, and all I've found is people trying to stop needing a password all the time.
Please help with either a solution, or point me in the right direction for what I need to be searching for.
I am using ssl, and .httaccess file with basic auth setup in the apache config file.
<Directory "/var/www/html">
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>
As I know, apache/HTTP authentication don't gives you control.
After first authentication, your server cannot instruct the browser to logout or timeout. HTTP authentication does not work with session/cookies and the browser shall continually send authentication credentials.
To logout you should close the browser.
looking in Apache webpage: AuthDigestNonceLifetime Directive could be useful the value is in seconds for the time. i use 300 here.
<Directory "/var/www/html">
AuthType Digest
AuthName "Restricted-Content"
AuthDigestDomain "http://127.0.1.2"
AuthDigestProvider file
AuthUserFile /etc/apache2/.htpasswd
AuthDigestNonceLifetime 30
Require valid-user
</Directory>
Also you will have to use the htdigest command to generate the .htpasswd file
htdigest -c /etc/apache2/.htpasswd Restricted-Content username
then set the password
then set the AuthDigestDomain to your URL or IP
this conffiguration can only work with the degest based authentication. although the user must clear their browser cache manually.
but i would recommend you switch to a different method for autentication, unless its the only option for the application

AuthUserFile in htaccess can be url?

i have this htaccess :
AuthType Basic
AuthName " Vip User Only
AuthBasicProvider file
AuthUserFile c:\inetpub\htpasswd
Require valid-user
<FilesMatch ".(jpg|gif|png|tiff|jpeg|html)$">
Allow from any
Satisfy any
</FilesMatch>
i want to remotely read htpasswd from another server ?
e.g : this htpasswd is in Server A and i want too use htaccess in Server B with Server A's htpasswd !
is this possible ?
See the documentation of AuthUserFile
File-path is the path to the user file.
There's no mention of URI anywhere. To the contrary, it advises (rightly!) to make the file inaccessible from the web
Security
Make sure that the AuthUserFile is stored outside the document tree of the web-server. Do not put it in the directory that it protects. Otherwise, clients may be able to download the AuthUserFile.
Otherwise anybody could download the file, and crack all your passwords.

htaccess password protection keeps asking for password on subdirectories?

I am using the following in my htaccess:
Options +Indexes
IndexOptions +FancyIndexing
AuthUserFile /home/html/.htpasswd
AuthName "Restricted Area"
AuthType Basic
require valid-user
It works great in the root directory...
The problem is when I access a sub-directory, it asks for a password again. For each and every sub-directory it asks for a password. In fact, everytime I refresh it asks for the password again, instead of caching it in.
How do I fix this?
I've figured this one out. It is related to FancyIndexing. If you have FancyIndexing enabled, htaccess will ask to reconfirm the password on every file and folder within the initial folder. Turning this off solved the issue.

http authentication via htacces does not work on ubuntu

need a help with .htacces file to make http authentication.
I made .htacces and .htpasswd files due to tutorial on some web page, but it doesn't work.
.htacces file is very simple
AuthType Basic
AuthName "xxx"
AuthUserFile my/directory/path/
Require valid-user
Path is right, I checked it. Does anyone know what can be wrong please? Maybe there's something on ubuntu I should change or something.Thanks

500 internal server error with .htpasswd/.htaccess

sorry to ask this again, I know that it's been asked before but I've literally read every discussion for trouble shooting and I'm still having problems
heres my code:
AllowOverride AuthConfig
AuthUserFile path/index/.htpasswd
AuthType Basic
AuthName "restricted area"
AuthGroupFile /dev/null
require valid-user
whenever I delete the .htaccess from the server the pages run normally but when I re-add the .htaccess I get the internal server error. It's really weird because occasionally an enter your password window comes up even but when I enter the password the window reappears, as if the password was entered incorrectly, and when I reload the page I get the 500 server error. Thanks in advance for the much needed help!!!
This line:
AllowOverride AuthConfig
Is probably what's causing you the error. The AllowOverride directive tells apache what is allowed to be used in things like htaccess files. So obviously, it's not something you can set in your htaccess file. AllowOverride needs to be in the server or vhost config, and the AuthConfig part of it tells apache that you can have auth directives (like AuthType, AuthName, etc) in an htaccess file.

Resources