i have a website that need to be unavailable for public.
I cannot test my website locally because lot of contents are depend on databases and images.
At present i am using .htaccess to deny all the people,bots and allow my ip address to use the site. What happens i have a dial-up ADSL modem and my ISP connection is frequently disconnecting. So i need to change the allowed IP address in htaccess frequently.This is terrible.
Is there any other way to overcome this situation. I saw an article to make the site password protected. is it okay or what should i do to overcome this terrible scenario.
Thanks
Yes, password protecting is fine. Follow this guide: http://httpd.apache.org/docs/2.2/howto/auth.html
You need to create an htpasswd file, essentially the file that holds your username and password. If you don't have shell access on your hosting plan, you can go to an online generator and create the file locally and upload it to your hosting site (don't put it in your document root).
Then add this to your htaccess file:
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /usr/local/apache/passwd/passwords
Require valid-user
You can also whitelist IPs like you did before but you need to add this line:
Satisfy Any
So that your Allow from 123.45.67.89 lines is sufficient and don't need to log in from that IP.
Related
I have a very strange problem with password protection in a subdomain. I use a subdomain test.example.com, and in order to avoid duplicate content issues, and to keep the test site private, I have added these lines on top in .htaccess for this test site to prompt users:
AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /home/httpd/mydomain/test.example.com/.htpasswd
Require valid-user
This authentication solution has worked for years, but now suddenly when accessing the main domain example.com, the user is prompted with a dialog that demands authentication. The message is that test.example.com demands authentication. So the password protection in the test site affects the main domain site.
To grant access for all users to the main site again, I have commented out the relevant lines in .htaccess for the test site.
To be clear I should also mention that I am not talking about a redirection to the test site. When accessing the main site, this is also where the user ends up. But the password prompt still refers to the test site.
On the server no changes has been made to the vhosts in a long time.
So how can the password protection in the .htaccess file in the test site affect the main domain site? Seems impossible to me. But yet this is what happens.
The site is built with Drupal 7 and is updated to the latest version. The only change in recent time is a Drupal update (7.82).
I use a free shared php web server for my site. my site's url end was p.ht and for some issues it changed to w.pw
In order to make my site working properly again, by using Notepad++ I used "Find in Files" subwindow which is in ctrl+F popup window. I replaced each occurence of p.ht with w.pw.
My site then started to work properly again with no problem in terms of viewing.
however after this change, after a while I needed to logon my custom admin page (approve comments, articles etc)
I created it with .htaccess with main commands below:
AuthUserFile /home/u999999999/public_html/.htpasswd
AuthName "Log In"
AuthType Basic
Require valid-user
RewriteEngine On
RewriteBase /adminfolder/
just before URLs changed, everything was working on my site properly, I was able to login to my admin account from my firm computer. But know despite the same password and username I can't logon. I changed the password, uploaded new file but again I couldn't logon.
What can be the problem?
my firm firewall, security politics update etc?
A changed php server property in free shared web server?
A ctrl+Replace mistake somehow?
I also entered the password by keyboard and by copy-paste.
Can you please guide me for my situation. Where should I look, what new action can I try in order to detect my failure mode?
best regards
I am developing a website with CakePHP.
I have an AdminsController for admins to authenticate. However I want create extra security by adding .htaccess password protection.
I tried to do it by adding .htaccess and a .htpasswd files in my Admins view directory since I want the other pages of my site to work normally, but it doesn't work.
So how to add .htaccess and .htpasswd for only a specific view?
In my AdminsControllers's beforeFilter method I've added :
if(env('HTTP_HOST') == 888.888.888.888 || ......),
The list of IP addresses that should be allowed. Can I say that it is safe now?
I think you might want to investigate the other authentication components that CakePHP has to offer. BasicAuthenticate should be of particular interest.
If you go down this route, the authentication will still happen against a userModel rather than a .htpasswd file.
As for the IP restriction, that should be relatively safe. IP spoofing is possible but hard.
I need to password protect a couple of entries on a site. It is easy to do at the template level but this is at the entry level. I am running Expression Engine.
I tried setting up an htaccess file but it is not yet effective.
It is like this:
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /home/server/.htpasswds/.htpasswd
AuthGroupFile /dev/null
<Files template_group/entry_name>
require valid-user
</Files>
Where template_group is the name of the actual template_group and entry_name is the actual name of the entry.
Any assistance will be appreciated.
Thanks.
While ExpressionEngine provides its own means for Template Access Restriction to password-protect pages and templates — including handling .htaccess Apache Basic HTTP Authentication — there are situations where you might not want to, or are unable, to use it:
For example, the Freelancer Version of ExpressionEngine doesn't include the Member Management Module, so the Template Preferences Manager doesn't offer Access Restrictions.
Also, if you elect to use ExpressionEngine's HTTP Authentication, only users with member accounts [in ExpressionEngine] will be able to login, since EE uses its local member database for authentication.
If you're the DIY type, you can modify your httpd.conf to limit and password-protect access to ExpressionEngine pages, entries and templates.
This technique works by:
Editing Apache's httpd.conf
Creating .htpasswd or .htgroup files
Specifying the URL(s) to Protect
Note: Since we are attempting to match objects at the URL level and not the physical filesystem, we must use a <Location> or <LocationMatch> directive1.
Put the following in your server's httpd.conf or vhost.conf file:
<LocationMatch "^/private">
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /path/to/website/.htpasswd
AuthGroupFile /dev/null
Require valid-user
</LocationMatch>
Be sure to change the values of the directive to your liking and your hosting environment.
If you haven't already, create the .htpasswd password file to encrypt the desired passwords, either using the command line or an Online .htaccess Password Generator:
htpasswd -c /path/to/website/.htpasswd username
If the htpasswd command is not in your Unix path, you'll have to type the full path to the file to get it to run. On my server, it would be:
/usr/sbin/htpasswd -c /path/to/website/.htpasswd username
Then, htpasswd will ask you for the user's password, and ask you to type it again to confirm:
# htpasswd -c /path/to/website/.htpasswd username
New password: changeme
Re-type new password: changeme
Adding password for user username
With everything in place and working, any request to /private* will be handled by Apache before it's routed to ExpressionEngine.
Voilà — Apache password-protected directories working in harmony with ExpressionEngine (or any CMS really, such as WordPress, MovableType or TextPattern).
The context of the <Location> directive specifies that it can only be used in server config and virtual host configuration files. This means we can't put the rules in a .htaccess file, otherwise Apache will throw a 500 Internal Server Error with the description "Location not allowed here".
If you are attempting to match objects at the URL level, you must use <Location>
If you are attempting to match objects at the filesystem level, you must use <Directory> and/or <Files>
I answered two similar questions on this subject that may be of benefit to you.
Nevertheless, there are several ways to password-protect pages in an ExpressionEngine site:
Template Preferences Manager
Conditional Global Variables
Third-Party Add-Ons
By far the easiest solution to your situation is to use the built-in Template Preferences Manager in the ExpressionEngine Control Panel and assign the "private" entries to a template that requires authentication.
A third-party add-on such as Entry Access by Yuri Salimovskiy of IntoEEtive may aide in your benefit. Entry Access enables you to restrict front-end access to certain channel entries for certain members or member group.
I have a private folder on my domain like
http://example.com/protected
and i stored lot of images and pdf file there
/protected/pad1.pdf
/protected/pad2.pdf
/protected/pad1.png
/protected/pad1.png
supose these are the files, how can i hide or protect access to there files with the help of .htaccess file.
allow only users those who knows the password.
is it possible ???
Check out Apache's page on Authentication, Authorization and Access Control -- one method would be using Basic or Digest authentication. That would look something like this:
AuthType Digest
AuthName "Private files"
AuthDigestFile /usr/local/apache/passwd/digest
Require user (usernames here)
Of course, you need to generate a password and/or digest file using htdigest or htpasswd as well, but that procedure is explained in the document I linked to.
Or for zero configuration and zero access:
Order Allow, Deny
Deny From All
=)