I'm looking for a way I could hide directory (giving 404 instead of it) before user logging in.
For example, I have directory /admin and directory /login
And I want that the user which go on the first address - will see 404 page.
But, if he goes first at second page, he will see basic auth dialog and if he type correct login data - he will be redirected to first directory and see actually admin panel.
How to do this, could you tell me please? I've tried various combinations (including symlinks) but all I get - accessible /admin directory, if it was password protected (if not - it correctly redirects to 404, no matter with RewriteRule or RedirectMatch).
RedirectMatch 404 ^/admin(/?|/.*)$
RewriteRule .* - [E=AUTH:%{HTTP:Authorization}]
<Files login>
AuthUserFile /www/.passwd
AuthName PROXY
AuthType Basic
Require valid-user
</Files>
RewriteCond %{AUTH} !=""
RewriteRule .* login
Not working (getting 404 continuously).
RedirectMatch 404 ^/admin(/?|/.*)$
RewriteRule ^login/(.*) admin/$1
RewriteCond %{THE_REQUEST} ^GET\ /admin/
RewriteRule ^admin/(.*) /login/$1 [L]
Not working while .htaccess is present in admin directory (otherwise it became unprotected).
Related
I have directory structure like this:
public_html
.htaccess[1]
-apps
-.htaccess[2]
-admin
-myviwo
when I request http://localhost/mysite/admin it redirect me to http://localhost/mysite/apps/admin/ and shows me the content of the admin directory, if I request http://localhost/mysite/admin/ it doesn't redirect me but it shows me the content of admin directory again which is correct. But I want:
http://localhost/mysite/admin
http://localhost/mysite/admin/
Both of the above URLs shows me the content of admin directory without redirecting me.
.htaccess [1]
RewriteEngine On
RewriteBase /
RewriteRule (.*) apps/$1 [L]
.htaccess [2]
RewriteEngine On
RewriteBase /
RewriteRule ^admin/?(.*)$ admin/$1 [L]
RewriteRule ^(.*)$ myviwo/$1 [L]
How can I achieve this?
In the admin directory, add an htaccess file with the following:
DirectorySlash Off
This makes it so mod_dir won't redirect requests for the directory admin. However, note that there's an important reason why directory slash is "on" by default:
Security Warning
Turning off the trailing slash redirect may result in an information disclosure. Consider a situation where mod_autoindex is active (Options +Indexes) and DirectoryIndex is set to a valid resource (say, index.html) and there's no other special handler defined for that URL. In this case a request with a trailing slash would show the index.html file. But a request without trailing slash would list the directory contents.
If that's ok with you, then that's all that you need.
Otherwise, you may need to add a special rule specifically for admin. In the .htaccess[1] file, add right below the rewrite base:
RewriteRule ^admin$ apps/admin/ [L]
EDIT: to make the above rule dynamic, you need to first check if it's a directory:
RewriteCond %{DOCUMENT_ROOT}/apps%{REQUEST_URI} -d
RewriteRule ^(.*[^/])$ apps/$1/ [L]
I have a folder on my site (domain.com/protect) I want to limit to only one referrer (otherdomain.com/subfolder).
Deny for all others, allow only if coming from that URL.
If not coming from that URL, then redirect the visitor over to otherdomain.com/login instead.
How would I write that out in .htaccess rewrite rules?
In the htaccess file in your /protect directory, add these rules:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !otherdomain\.com/subfolder
RewriteRule ^ - [L,F]
The condition checks that the referer doesn't contain: otherdomain.com/subfolder, and if it doesn't, then whatever the request is (inside the /protect directory) will result in a 403 Forbidden.
Alternatively, you can put these rules in the htaccess file in your document root if you would rather keep everything in once place:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !otherdomain\.com/subfolder
RewriteRule ^/?protect/? - [L,F]
I have a site that has an admin page (eg admin.php) that is normally accessed via mydomain.com/admin.php
What I was hoping to be able to do is to use htaccess to map
"admin.mydomain.com" to "mydomain.com/admin.php" in such a way that the user would never know that it was a 'file'.
That is, if someone externally tried to access "mydomain.com/admin.php", I want it to 404.
Now, for the even hard part: the admin.php page will want to serve links as "/admin.php?param=value", etc and so I'd need to look at the referrer (???) to let this work as expected.
can htaccess do this? Any idea on where to start?
If you have set up a record for admin.mydomain.com with the same IP Address as mydomain.com as well as the same DocumentRoot,
Then this can be done like this in your .htaccess:
RewriteEngine On
RewriteBase /
RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule ^ - [L]
RewriteCond %{HTTP_HOST} ^(admin\.) [NC]
RewriteRule ^ %1php [L]
RewriteCond %{REQUEST_URI} admin\.php$ [NC]
RewriteRule ^ - [R=404,L]
I don't really understand what you are trying to do (or really why you absolutely need to have the page mydomain.com/admin.php).
If you are trying to "hide" it from the users, why not actually create a subdomain, place the file in the subdomain, implement security on the entire subdomain and then there is no need for messing around with redirections, referrers or query strings.
For security you might want to do something like this:
In your .htaccess put:
AuthUserFile /path/to/htpasswd/file/.htpasswd
AuthGroupFile /dev/null
AuthName "MyDomain Admin Area"
AuthType Basic
require valid-user
Create the file .htpasswd using a generator such as this
Then you will have no need to hide the page from the user because without the correct username and password, they will get a 403.
I have a site with a virtual directory structure like mysite.com/folder/title which is actually a .htaccess rewrite to mysite.com/f/index.php?p=title. I want to password protect the folder folder with .htaccess, and know how to do that with actual folders. But I don't want to password protect the main site mysite.com, and right now if I put the .htaccess file in the mysite.com directory, I am protecting mysite.com and mysite.com/folder. I have also tried protecting mysite.com/f.
How can I protect only mysite.com/folder using .htaccess?
EDIT: Added .htaccess contents of mysite.com.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^folder/(.*)$ /f/index.php?p=$1 [PT,L,QSA]
RewriteRule ^folder/*$ /f/index.php [L,QSA]
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
.htaccess file I tried in mysite.com/f This successfully protects the entire site when moved to mysite.com, so I know the path is correct. When it is in the subdirectory it generates a 404 error and not a password prompt.
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /home/myusername/.htpasswd
require valid-user
Old thread is old...
Stumbled across this while having a similar issue, password protecting a subdomain while keeping the main site without.
The solution was easier than I originally made it out to be.
In the document_root/.htaccess, domain.com/wiki was redirecting to domain.com/w (because that's cleaner? lol):
RewriteEngine On
RewriteRule ^/?w(/.*)?$ /wiki/index.php [PT,L,QSA]
RewriteRule ^/*$ /wiki/index.php [L,QSA]
In document_root/wiki/.htaccess the wiki directory was password protected:
AuthType Basic
AuthName "Restricted"
AuthUserFile "/home/user/.htpasswds/public_html/wiki/passwd"
require valid-user
I simply added this line to the top of document_root/.htaccess so it reads:
AuthType None
RewriteEngine On
RewriteRule ^/?w(/.*)?$ /wiki/index.php [PT,L,QSA]
RewriteRule ^/*$ /wiki/index.php [L,QSA]
domain.com is no longer password protected and domain.com/wiki redirects as intended and with password protection.
Hope it helps someone else.
One thing that works (but isn't the most elegant solution) is to actually create a folder named "folder" (or whichever virtual folder you're trying to password-protect) and put the .htaccess into it.
Assuming you are using Apache 2.2
... and, that your server is running on a machine to which you do not have permission to modify the server configuration
... then, create: mysite.com/f/.htaccess with the rule you desire.
A good discussion of when to use this and when not to can be found here.
I'm having a small problem with my htaccess files. Currently, it redirects everything back to index.php for processing, except when someone tries to access an actual directory. When the directory exists, it displays the 403 error page instead of rewriting the path to index.php like it's supposed too. What can I modify to make it always go to index.php when the files are accessed via the internet, but still load the correct files in PHP on the server?
Options -Indexes +FollowSymLinks
RewriteEngine On
RewriteBase /
ErrorDocument 403 /index.php?403
ErrorDocument 404 /index.php?404
ErrorDocument 414 /index.php?414
RewriteCond %{HTTP_HOST} !^$ [NC]
RewriteRule !^(.*) index.php [L]
Sample file structure:
Web Directory
- com
- source
- index.php
- TEST.HTML
The folders such as 'com' and source' will display the 403 because the user doesn't have access to them. The files such as 'index.php' and 'TEST.HTML' execute normally. I want my htaccess to redirect everything in the Web Directory folder back to the index.php file, no matter what.
I think you want this instead:
Options -Indexes +FollowSymLinks
RewriteEngine On
RewriteBase /
ErrorDocument 403 /index.php?403
ErrorDocument 404 /index.php?404
ErrorDocument 414 /index.php?414
RewriteCond %{REQUEST_URI} !^/index.php
RewriteRule .* index.php [L]
This was on the assumption that you didn't want to be able to access TEST.HTML directly and didn't want to change the URL in the user's browser. If either of those assumptions were wrong, let me know and I'll update the answer with the appropriate rewrite information.