Using .htaccess and .htpasswd gives empty pages - security

I'm trying to password protect a webpage, say index.html that's located at mysite.com/mysubfolder/index.html. How I've done this, is I've placed both a .htaccess and a .htpasswd file in the directory public_html/mysubfolder/, with .htacess containing the following:
AuthName "Secure Area"
AuthType Basic
AuthUserFile /public_html/mysubfolder/.htpasswd
Require valid-user
Now, when I type in www.mysite.com/mysubfolder into the address bar, I get the prompt to type in the user name and password, which I do, with the credentials that generated my .htpasswd file. But when I do, an empty page shows up - no error or warning, just a white page. I have other folders inside this directory, and for them too nothing shows up, when I try to access them directly through the address bar. When I click View Page Source, all I see is
<!-- SHTML Wrapper - 500 Server Error -->
I have no idea what to do now. I want everyone who types in that webpage or clicks through a link to it (mysite.com/mysubfolder/index.html or mysite.com/mysubfolder)to have to type in the specific credentials I have chosen. Am I doing something wrong? Maybe there is a better way? Thanks in advance.

Related

AuthName in .htaccess not displayed in Chrome

I am trying to secure a website with an .htaccess file with Apache2. It works well but the message specified with the AuthName line is not visible on Chrome (but it is visible on Firefox !). What should I do to make it visible on Chrome?
Here is my .htaccess file
AuthType Basic
AuthName "Restricted Access"
AuthFile "/etc/apache2/.htpasswd"
Require valid-user
On Firefox the pop-up tells
The site ... is requesting your username and password. The site says: "Restricted Access"
But on Chrome it only tells
Sign in
What should I do to make it visible on Chrome?
There is nothing you can do.
The browser decides whether it wants to display this information to the user in some way, or not.
The phrasing used in the Apache documentation already hints at that (highlights by me) -
https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authname:
The string provided for the AuthName is what will appear in the password dialog provided by most browsers.
https://httpd.apache.org/docs/2.4/howto/auth.html#gettingitworking:
The AuthName directive sets the Realm to be used in the authentication. The realm serves two major functions. First, the client often presents this information to the user as part of the password dialog box. Second, it is used by the client to determine what password to send for a given authenticated area.
Here is a workaround which can give some info for your unlucky visitor, using custom error document feature after the login attempt fails:
Put this line into your .htaccess file:
ErrorDocument 401 YYYY-MM-DDTHHMM-Site-update-under-way-Estimate-30-min
The continuous text seems to get displayed after login fails or is canceled. No dots (.) or colons (:) allowed. Of course it should represent a valid filename, but if the user has no access to public_html due to login fail a file maybe can't be served anyway. If You can serve a proper 401 error page, You can explain the situation there.
(edit 1) Maybe this behaviour is a curiosity in my case with shared hosting. The shared server there seems to be nginx which I guess "is forced" to accept .htaccess directives.
(edit 2) Confirmed this behaviour also with Apache 2.4 server

redirecting folder to file using htaccess

A friend wants me to implement basic file security on his site that he can look after himself.
I think the simplest option is to put a .htaccess file into the folder he wants to protect and that will redirect all requests to a php file in the root.
The php file will then check if the user is logged in and serve the file or request a fixed shared login password.
It's going ok so far except for two problems.
Firstly I can't get the htaccess file work based on the directory it is located in - I can only manage it by hard coding the directory into the htaccess file.
Secondly, I can get the php file to know the url of the file that was requested.
Any help and pointers would be great!
It sounds like what you are wanting to do can be done a little more easily with an .htpasswd setup.
You will just place this in an .htaccess of the directory you are trying to protect and all of the sub-directories will be protected as well.
AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /path/to/.htpasswd
Require valid-user
And then create an .htpasswd file and use a tool like this to generate the credentials.
Alternatively, the way you are suggesting to do it will require the use of either cookies or sessions and here is another question that should help a bit more with setting that up.

Adding .htpasswd to my web site

Hi.I'm new at web, and I want to create a site. I've ordered a domain name and hosting, so now I have access to storage on hosting. What have I to do to protect any folder using htpasswd?
All that I have in http folder is index.html and folder examle, that contains .htaccess and .htpasswd and example2 folder, that should be protected.
When I try to access example2 folder from browser, I get popup window, that asking me for a login and password, and when I enter it I have a 500 internal sever error
Ok, so I have the answer. It's strange that the commentators didn't undertood the error, because as I understood the 500 error has only one meaning - server can't find a file. So, communyty members again talks about everytihng they can intstead that they was asked about-_-(yes, yes, there are a lot of grammar mistakes, but you understood(I hope)).
So here are a few steps for newers, like me, that can help to protect data of your site via `.htpasswd`
Getting the correct file path
Create file in folder you need to be protected, with .php extesion, and name it, how you like. Put this code there, and save it.
<?php
echo 'Полный путь к каталогу: ';
echo $_SERVER['DOCUMENT_ROOT'];
echo '/';
?>
Visit this page via browser, there will be wrote the full path to php document you've created.
Creating .htaccess and .htpasswd files
Go to folder you need to be protected by password and create two files - .htaccess and .htpasswd. You should notice, that these files shouldn't have any extensions, and they must be named exactly with . character in the begining.
Writing to .htaccess
Put there this one
AuthUserFile /path/to/.htpasswd
AuthType Basic
AuthName "My restricted Area"
Require valid-user
Instead of /path/to/ put the path you've got earlier. That's all
Writing to .htpasswd
Go to https://www.web2generators.com/apache-tools/htpasswd-generator and fill there login and password, and it will return you encrypted login:pass combination. Open .htpasswd file and just put it there.
That's all, it should work

htaccess Faking directory path?

I would like to fake directory path with .htaccess, but I haven't got much experience with it, so I'm asking you, guys.
Let's say my URL is http://example.com/test and I got some scripts in that folder. I would like to hide the URL, so I wouldn't be able to access by it's real URL, but I could access it with e.g. http://example.com/test2.
I simply would like to hide and fake the directory.
To simply protect the page with a password you can add the following into your .htaccess on the page you want to protect:
AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /path/to/.htpasswd <-- change this to your full path to .htpasswd
Require valid-user
Then create the .htpasswd file, and create user/password combinations. Like this:
test:dGRkPurkuWmW2
Directions can be found on this page:
http://www.htaccesstools.com/articles/password-protection/
Use a password generator like this one to generate an encrypted password:
http://www.htaccesstools.com/htpasswd-generator/

.htaccess password and forced login

I have password protected website with .htaccess. What I want to do now is to force users to login from the index.html page and not from any other which they can do now. ie. I have index.html (the main page) and I have two other pages 1.html and 2. html also protected with .htaccess password. Users can now type http://www.mypage.com/1.html and they will be asked for login data but I would like to force them (before they are asked for login details) to index.html to login. After they are loggedin they can use any link (ie.1.html or 2.html) as they want.
Can this be done by using .htaccess? I would need the whole code. Thank you!
With .htaccess you may protect the whole directory with password:
AuthType Basic
AuthName "Restricted Files"
AuthBasicProvider file
AuthUserFile /path/to/passwords/file/passwords
Require user myuser
you may create passwords file with the following command:
htpasswd -c /path/to/passwords/file/passwords myuser
You may complete description with good examples in Apache docs.
If you use apache to protect a directory you can't create a login form on your index.html for it. The login dialog is instead created by the browser.
You can however force people to first go to index.html, by checking the referrer header. If it exists and is different than domain.com/index.html you can redirect to index.html. You'll have to use mod_rewrite for this.

Resources