.htaccess incoming request: relative vs absolute rule - .htaccess

I'm working in a password protected directory. "Quicktime" + "Safari" + "AuthType Basic" are doing there best to challenge me (and winning). I've managed to implement a solution via htaccess but I would like to improve the security.
I now have a secure folder with basically public .mov files inside.
I've implemented:
AuthUserFile /var/www/ht/.htpasswdblabla
AuthName Protected
AuthType Basic
require valid-user
Options +FollowSymlinks
RewriteEngine on
<FilesMatch mov>
Satisfy any
order allow,deny
allow from all
</FilesMatch>
What I would like to do is only "satisfy any..." based on a relative request and "require valid-user" for any fully qualified/absolute request. This would allow the pages quictime/video object to access the files freely, but anyone linking to the file would need a password.
../movie.mov (would satisfy...)
movie.mov (would satisfy...)
http://basedomain.com/protected_folder/movie.mov (require valid-user)
Any help or a point in the right direction would be greatly appreciated.
Help me Obi Wan Kenobi, you're my only hope.

If I understand your question correctly, this is not possible. It is possible to write relative links into your code, but the browser is always making an absolute request so it is not possible for Apache to differentiate a relative link from any other.
You might look into allow/deny based on the request referrer. I am not sure how reliable that is, and it could be easily spoofed...but it might prevent casual attempts.
Problem is similar to trying to prevent others from deep-linking your images. There are different strategies, but often more trouble than they are worth.

Related

redirecting folder to file using htaccess

A friend wants me to implement basic file security on his site that he can look after himself.
I think the simplest option is to put a .htaccess file into the folder he wants to protect and that will redirect all requests to a php file in the root.
The php file will then check if the user is logged in and serve the file or request a fixed shared login password.
It's going ok so far except for two problems.
Firstly I can't get the htaccess file work based on the directory it is located in - I can only manage it by hard coding the directory into the htaccess file.
Secondly, I can get the php file to know the url of the file that was requested.
Any help and pointers would be great!
It sounds like what you are wanting to do can be done a little more easily with an .htpasswd setup.
You will just place this in an .htaccess of the directory you are trying to protect and all of the sub-directories will be protected as well.
AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /path/to/.htpasswd
Require valid-user
And then create an .htpasswd file and use a tool like this to generate the credentials.
Alternatively, the way you are suggesting to do it will require the use of either cookies or sessions and here is another question that should help a bit more with setting that up.

Allow access to website only from a specific URL

I have got a client who I did a great website for a year or so ago however he has just sold his business and as part of the deal he wants me to take the website down. He has however agreed to allow me to use the website on my portfolio so I essentially want to be able to block all entries except from entries from my domain name, is this possible? I was thinking the best solution will be .htaccess but I am not the best at .htaccess so any advise would be awesome.
Something like this should work. Put it in the directory that requires the denial.
I would suggest an alternative method though; perhaps moving the site to your own server.
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName OnlyFromUNO
<Limit GET>
order deny,allow
deny from all
allow from .domain.com
</Limit>

restrict access to all php files besides three of them

I've made a site 1 year ago using php, when I had alot less experience. My teacher and I were analysing the code today and there seems to be a security issue. He wants me to fix it before he gives me the points I need.
I've got an index.php and an edit.php file in the root directory, and a login page in /php/login.php (which I find to be a very silly place to put a login file in, now that I look back on it, I would probably swap edit.php's and login.php's directory's if I were to rewrite my site).
Basically, I want these three files to be accessible externally. I want all other php files to be restricted from the outside, so it's impossible to do an ajax call to /php/phpsavefile.php from outside the system (which is the security issue I mentioned). edit.php makes the ajax call to /php/savefile.php.
I think this is what I need to get the job done:
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
<Files /index.php>
Order Allow,Deny
Allow from all
</Files>
But how can I add three files instead of just one after <Files and before >?
I've also tried second approach:
Order Deny,Allow
Deny from all
This doesn't seem to work because an ajax call appears to be a regular http request as well, so it gets a 403 response.
Another approach I tried was putting the restricted php files inside a map called "private"
in the same folder where "httpdocs" remains (the parent folder of webroot). My teacher had told me about an admin folder, that no one can access but the site itsself. I tried including the restricted php files inside the private folder, but it didn't seem to include it properly...
Any help or tips for this novice at .htaccess would be appreciated :-)
Edit:
.htaccess allow access to files only from includes
Ray's comment said:
Of course, because they are requested by the client. You can't "allow the client" and "not allow the client" to serve files.
I suppose this is true, but how can I prevent people from calling my ajax file?
I secured it by checking if the user was logged in.

Is there a way to restrict the external users to access my server files

Is there a way to restrict the external users to access my server files..
example is when i access this dir http://puptaguig.net/evaluation/js/ it shows the 404 page(though it's not obvious) but when i tried to view control.js here http://puptaguig.net/evaluation/js/controls.js it opened up..
IndexIgnore *
<Files .htaccess>
order allow,deny
deny from all
</Files>
i just want to make these files inside my server directory to secured from outside viewing for some reasons..but how?
Best Regards..
siegheil/js? Should be siegheil/ns for sure?
You could chmod 000 and then no one would see them or access them. You can't have people accessing and not seeing them at the same time. Can't be done.
You can add below lines to your httpd.conf or. htaccess this will avoid access of your JavaScripts
<Files ~ "\.js$">
Order allow,deny
Deny from all
Satisfy All
</Files>
The only way I can think to manage this is deny access to your js files by throwing a .htaccess in the siegheil/js/ folder that says something along the lines of:
deny from all
or just simply put your code in a folder above the root document level of the site itself.
After that, you then use something like minify to retrieve the js files from the backend (PHP / some other server language side) and have the minified / obfuscated code placed in another folder or just outputted directly from the script.
With all that said, in the end, the js code must be downloaded one way or another to be run by the browser. This will make it impossible to prevent people from looking at your code and figuring out what it does if they really want to.
You were able to access http://puptaguig.net/evaluation/js/controls.js but not http://puptaguig.net/evaluation/js/ because most Apache installs prevent an anonymous user from viewing the directory contents, and only permit access to specific files in the directory.
There is no way "hide" client-side JS because without access to those files your users will not be able to run your script. As suggested by #General Redneck, you can obfuscate and minify your js using a tools like minify or uglifyJS, but those can, potentially, been un-minified (minification is still a good idea for performance reasons). Ultimately you are fighting against the "open" nature of the web. I'd suggest putting a license on your code, and keeping an open mind : )
If you really need something to be secure, try accomplishing the essential functionality (which you want to keep private) with a backend language like php or asp.net and feeding the relevant data to you JS script.
You should create an .htaccess file in the relevant directory that has
-Indexes
in it. This will prevent listing of the directory and will cause a 403 error to be raised. Your application can then handle that however it wants to display whatever you want.

How secure is htaccess authentication

I need to protect a clients CMS with a username and password, only one username is needed. I was going to use htaccess because its so quick to add.
I'll be adding it using the password directories feature in WHM which stores the passwords here:
AuthUserFile "/home/username/.htpasswds/public_html/cms/passwd"
How secure is this? Are there ways to get into folders such as .htpasswds?
Straight from Apache's documentation
The most common method is Basic, and this is the method implemented by mod_auth_basic. It is important to be aware, however, that Basic authentication sends the password from the client to the server unencrypted. This method should therefore not be used for highly sensitive data, unless accompanied by mod_ssl. Apache supports one other authentication method: AuthType Digest. This method is implemented by mod_auth_digest and is much more secure. Most recent browsers support Digest authentication.
Please read the rest HERE
Please read the comments, things have changed since 2011. Good catch #reve_etrange
You should deny access to the folder that contains passwd files
<Directory /home/*>
Order allow,deny
Deny from all
Satisfy all
</Directory>
also don't forget that http traffic can be captured, so it won't suit for financial transactions.
As long as you set up the proper restrictions in your httpd.conf file to block external requests for .htaccess, and .htpasswd you should be okay.
You can block external requests (in Apache) with the following directives:
# The following code hides .htaccess and .htpasswd files from sites visitors.
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>

Resources