Secure site folder using .htaccess - .htaccess

I am using cakephp for my new project.I want to secure my site with .htaccess.Here is what i want to achieve.
If someone tries to go to my site url which is,for now www.sample.com.User should not get access without giving password or any other security method.How can i achieve this property?? Shall i eloberate this requirement??then please let me know.
Thanks in advance

With .htaccess you may protect the whole directory with password:
AuthType Basic
AuthName "Restricted Files"
AuthBasicProvider file
AuthUserFile /path/to/passwords/file/passwords
Require user myuser
you may create passwords file with the following command:
htpasswd -c /path/to/passwords/file/passwords myuser
You may complete description with good examples in Apache docs.
Original Answer: .htaccess password and forced login

Related

How to apply .htaccess in a node.js (express) application?

I have a node.js express application and I want to authenticate users using .htaccess (part of the requirement). I have added the initial .htaccess code however, it is not working.
Here is a snapshot of my code directory structure:
Code Directory Structure
Here is the code snippet of my .htaccess file:
AuthType Basic
AuthName "Please Enter Password"
AuthBasicProvider file pam
AuthUserFile ./.htpasswd
AuthGroupFile ./.groups
Require group admins
I have two other files .htpassword and .groups that includes the password and groups.
Any help would be appreciated!
.htaccess is Apache specific.
If you want to use a library to do authentication, check basic-auth.
An example can be found in this article here: https://www.taniarascia.com/basic-authentication-for-an-express-node-app-htpasswd/

AuthUserFile in htaccess can be url?

i have this htaccess :
AuthType Basic
AuthName " Vip User Only
AuthBasicProvider file
AuthUserFile c:\inetpub\htpasswd
Require valid-user
<FilesMatch ".(jpg|gif|png|tiff|jpeg|html)$">
Allow from any
Satisfy any
</FilesMatch>
i want to remotely read htpasswd from another server ?
e.g : this htpasswd is in Server A and i want too use htaccess in Server B with Server A's htpasswd !
is this possible ?
See the documentation of AuthUserFile
File-path is the path to the user file.
There's no mention of URI anywhere. To the contrary, it advises (rightly!) to make the file inaccessible from the web
Security
Make sure that the AuthUserFile is stored outside the document tree of the web-server. Do not put it in the directory that it protects. Otherwise, clients may be able to download the AuthUserFile.
Otherwise anybody could download the file, and crack all your passwords.

htaccess password protection keeps asking for password on subdirectories?

I am using the following in my htaccess:
Options +Indexes
IndexOptions +FancyIndexing
AuthUserFile /home/html/.htpasswd
AuthName "Restricted Area"
AuthType Basic
require valid-user
It works great in the root directory...
The problem is when I access a sub-directory, it asks for a password again. For each and every sub-directory it asks for a password. In fact, everytime I refresh it asks for the password again, instead of caching it in.
How do I fix this?
I've figured this one out. It is related to FancyIndexing. If you have FancyIndexing enabled, htaccess will ask to reconfirm the password on every file and folder within the initial folder. Turning this off solved the issue.

HTTP Basic Auth Upon Image View (.htaccess)

I saw this and I'd love to know how to recreate it. Unfortunately, I don't know .htaccess.
Upon viewing an image, there was an HTTP Basic Auth style dialog that asked to enter some sort of authentication (albeit nothing actually submitted anywhere).
I'm sorry for the skid question, but I'd really love some insight as to how this can be done using .htaccess or .htpasswd.
Thanks.
In your apache site conf, add something like:
Alias /image /path/to/img
<Directory "/path/to/img">
AuthType Basic
AuthName "LoginImage"
AuthUserFile /path/to/.htpasswd
Require valid-user
</Directory>
Then, create the .htpasswd file with:
htpasswd -c .htpasswd someusername
and you'll be prompted to create a password.

htaccess doesn't work - always wrong password

I am trying to password protect a directory, and have two files in the directory which should password protected it:
.htaccess
.htpasswd
HTACCESS:
###Contents of .htaccess:
AuthUserFile /var/www/html/path/to/my/directory/.htpasswd
AuthName "Protected Files"
AuthType Basic
Require user admin
HTPASSWD:
###Contents of .htpasswd
admin:oxRHPuqwKiANY
The password is also admin, but no matter what password I try, it is always wrong. It immediately asks for the password again!
What is wrong with this configuration?
This problem is almost always because apache cannot read the .htpasswd file. There are four causes that come to mind:
it isn't parsing the path correctly... how did you create the .htaccess file? Does it have unix line endings (versus say using Notepad in Windows?
is the path correct? What does the following command (with the path update) show?
ls -l /var/www/html/path/to/my/directory/.htpasswd
does the web server have access to the file? chmod 644 and see if that solves the problem.
it can't parse the .htpasswd file: in this case, you are using the crypt() encryption so it does seem you created the file on Linux and it is probably fine. Some types of encryption only work on certain platforms, if in doubt try switching to MD5.
You may find helpful messages in the Apache error log.
My money is on #3.
I had a similar issue using MAMP and it was because i was creating .htpasswd by hand. Solution was to use htpasswd command in terminal:
htpasswd -bc .htpasswd someuser somepass
this created the .htpasswd file which worked fine with my .htaccess file which looked like so:
AuthType Basic
AuthName "This site is in alpha and requires a password."
AuthUserFile "/Applications/MAMP/htdocs/mywebsite/.htpasswd"
require valid-user
There's a small chance you're seeing password protection from a parent folder, not the folder you expect.
If your /etc/apache2/sites-enabled folder has only one file in it, check to see if it has a section for your sites folder, something like:
<Directory /var/www/mysite.com>
AllowOverride All
</Directory>
otherwise, if it has a file for your site name, like:
/etc/apache/sites-enabled/YOUR_SITE_NAME_HERE.conf
edit that file instead, and make sure that there's an
AllowOverride All
in there. That's the important part! If you want to only allow the minimum, specify:
AllowOverride AuthConfig
instead.
I had the same problem. Turned out the issue was this line:
Require user admin
If you specify admin you can only access the directory with admin even if you have other users in the .htpasswd file.
If you want to specify the users in the .htpasswd file, you can change the line to:
Require valid-user
My problem was that I did not give an absolute path for the AuthFile line.
I had the same issue.
The password should have specified encryption:
CRYPT_STD_DES - Standard DES-based hash with a two character salt from the alphabet "./0-9A-Za-z".
function standard_salt(){
$a = array_merge(range(0,9),range('a','z'),range('A','Z'));
return (string) $a[rand(0,count($a)-1)].$a[rand(0,count($a)-1)];
}
echo(crypt("admin",standard_salt()));
example:
admin:dsbU.we73eauE
Online javascript encripter is also available.
If it still does not work, take care of these:
use unix linebreaks
use correct AuthUserFile path, You can get it using: echo $_SERVER['DOCUMENT_ROOT'];
set file readable: chmod(".htpasswd",0644);
Also, make sure your password file is ANSI-encoded.
I spent about 2 hours to resolve the same issue. But problem was in nginx.
I have nginx as front web server and there was a line for proxy configuration:
proxy_set_header Authorization "";
It overrides Authorization field and apache don't receive login and password typed in.
I just commented out this line and it worked.
use
htpasswd -b .htpasswd admin admin
to use the password from command line.
Also, if you are scatterbrained like me, make sure you have some content to display, like some index.html file in the directory. Otherwise, it will look like authentication failed, while it's just that the server is not allowed to display the directory listing.

Resources