How to make that only one page requires .htaccess auth? - .htaccess

Here is my problem. I have one page www.example.com which I don't want to be publicly accessible, so I want to have it behind some kind login.
The problem is that I also have www.example.com/api which I need to be publicly accessible.
Do you have any ideas how to achieve this?
Best regards,
Mladjo

.htaccess (or the <DIRECTORY> directive) applies to the directory you put it in (.htaccess) or the directory you specify (<DIRECTORY> directive), and all sub-directories below that one. If you have a specific file that you wish to control access on, put it in its own directory one level deeper than your web-root directory, and apply your access restriction to that path and its subdirs only.

Related

How can I make my domain secure, and invisible?

My problem is that if I type my domain without any slashes, it shows the complete folder and file structure, so we can say it is not really secure. I've managed to encrypt the folders, but not the main domain. In the cPanel I dont't find where can I make it secure, and invisible. Please don't devalue me for this question, I'm new.
If you want to prevent users from viewing the directory listing, you should select the no indexing option in cpanel. See this link for more information: http://www.inmotionhosting.com/support/edu/cpanel/remove-index-listing.
You can also password protect your domain using .htaccess and .htpasswd

IIS denying access to simple HTML file in virtual directory

I'm trying to display simple HTML files in a folder on my web site. No ASP.NET, no application, just a virtual directory. I'm getting "Access denied" in the browser when I try to open a web page.
This is through a hosting provider; I have access through FTP and IIS Manager only.
Authorization Rules show Allow - All Users - Inherited.
I'm far from an expert on IIS, and most search results either suggest checking folder permissions in the file system (which I have no direct access to) or are relevant to applications.
How can I diagnose this?
More information:
Through trial and error, I found out the cause, and worked around it with URL Rewrite. I'd still like to know why it's happening (the root cause) and how to change IIS's behavior.
I'm moving my site from Linux hosting to Windows hosting. Some of the old URLs are of the form:
http://www.MYSITE/myblog/index.php/2013/04/29/SOMEFILE.html
The ones I'm moving are HTML files, not PHP files, but I tried to mirror the folder structure.
The problem is in the index.php folder name. No matter what I do, even if I enable directory browsing, IIS won't let me access any files in a folder with that name. If I rename the folder (or even the "extension" part), it all works.
I've scanned through many of the IIS settings and haven't found any mention of forbidding a .php extension. What's going on?
You need to add permission for IIS users.Try adding permission to the folder by adding user
IIS_IUSRS and give required permission .
1.Right click on folder, go to properties
2.Go to security tab
3.Click on Edit, if you don't see IIS_IUSRS in the user list who have permission
4.Click on Add , In the box , add IIS_IUSRS and click on check names, it will
get the qualified name .
5.Click OK and apply
Hopefully it should work then
Through trial and error, I found out the cause, and worked around it with URL Rewrite.
For URLs of the form:
http://www.MYSITE/myblog/index.php/2013/04/29/SOMEFILE.html
The problem is in the index.php folder name. IIS won't let me access any files in a folder with that name. If I rename the folder (or even the "extension" part), it all works.
This is reminiscent of Joomla virtual (SEO) URLs. I'm assuming that you don't really have static files at all, but the CMS program running your site parses this information after the "index.php" as parameters for a database query to create the html page on the fly. In this case, the only file that's really being served by the web server is index.php, and the program includes other php files depending on the parameters entered. You're on the right track though, with creating a small file on the destination server and try to load it, but this means the index.php directory structure is moot.

.htaccess denied vs out of wwwroot

I need to upload to my server a high sensitive data file to be used by PHP scripts. Please, tell me what's the most secure way and why:
Putting it in a folder not under www root
Putting it under www root but denying access with .htaccess rule
Thank you very much
If you have ftp/sftp/ssh access to this server, there's no reason not to put it outside of the www document root. If you have a hosting service that only grants you access to the www document root, then you'll have to go with the second solution, but the first is much more secure.
Htaccess can be bypassed if there is a vulnerable script on your site. There are tools that, if placed correctly, files inside the document root and be uploaded by a remote attacker or even replaced. For example, there are php "remote file managers" that allows a remote attacker to change permissions, edit, or replace existing files, including your htaccess file. If you're running a site like Wordpress, or some other CMS, that aren't exactly super secure by themselves, that have a lot of third party plugins, those plugins could be vulnerable to attacks, and if you happen to be using one, your htaccess file's access restrictions could be bypassed.
When the sensitive information is outside of the document root, an attacker who has access to the document root won't be able to access these files and vulnerabilities in your scripts are a lot less likely to affect access to these files. There most likely needs to be a system level exploit to be able to gain access to files outside of the docuement root.

Dynamic .htaccess subdomain security

I have yet another .htaccess question, simple for you, not so much for me.
Let's say my main site is found at http://domain.com. I do all of my pre-release testing at sandbox.domain.com and sandbox.domain.co. I just realized that Google has gone ahead and indexed my sandbox sites... Ugggh!
The document root folder on my Apache server with the live site is always called ALIVE, and in order to make my sandbox contents live I quickly rename the folders, ie ALIVE->OLDx, SANDBOX->ALIVE.
My goal is to prevent indexers and users from accessing my sandbox pages. I am trying to design a .htaccess file for document root that only allows my ip address when accessed from a sandbox subdomain (sandbox.domain.com), otherwise it allows everyone when accessed from the main domain (domain.com). This would eliminate the process of remembering to update the .htaccess file each time I release a new site.
This doesn't seem too difficult, but I haven't been able to find the right combination. Any pointers in the right direction will be much appreciated!
Create a .htaccess inside each folder (like sandbox):
order deny,allow
deny from all
allow from YOUR IP HERE

.htaccess file. Can I block access to a directory without blocking access to the files within it?

I'm building a website, but I'm not entirely sure what to do with the .htaccess file.
Say for example I have a folder called pages which holds all my pages, can i deny access to someone if they type in www.website.com/pages so that they can't see the directory?
I've tried putting the .htaccess file in the pages folder with the "deny from all" line and although it denies access, it's also denying access to the actual pages.
Is there a way to do this without denying access to see the pages on the website, just denying access to the directory?
Sorry if this doesn't make much sense, I'm so confused lol.
Thanks for any help.
If you don't want Apache to display the list of files in the directory, you can use
Options -Indexes
To disable the indexes feature.
See the Options Directive section of Apache's manual, for more informations.
Else, an "easy way" would be to just put an empty index.html or index.php file -- i.e. a default file that Apache uses when one is trying to access a directory.
About that, see the DirectoryIndex Directive.
Just put an empty index.html in the directory.
Most hosts I've used do it with the IndexIgnore * directive.
just put that in a .htaccess file and drop it into the folder you want to block indexing of.
More info: Apache IndexIgnore Documentation.
You can log into your site manager and then you can use you index manager to say which folder you would like to protect. I just did mine

Resources