I'm testing Amazon Cloudfront on a dev environment which is protected by .htaccess/.htpasswd.
The password protection on the dev server is causing all of the cloudfront.net assets to be password protected as well. And no username/password combination works (the poppin just keep asking for password again and again).
I cannot remove the password protection.
I have see this other topic Amazon Cloudfront and .htaccess with the same request.
When I add this code to mine, the password protection is not displayed.
My .htaccess file:
SetEnvIf User-Agent ^Amazon Cloudfront$ cdn
ErrorDocument 401 default
AuthName "ACCESS"
AuthUserFile /var/www/html/folder/.htpasswd
AuthType Basic
AuthGroupFile None
<RequireAny>
Require valid-user
Require env cdn
</RequireAny>
<Files "healthcheckfile.html">
Allow from all
Satisfy any
</Files>
To summarize I need to have a password protection on the website with .htaccess but I also need cloudfront to go through without disable the whole protection.
Do you have any ideas?
PS: I have done new tests (it works on localhost with MAMP), I have also deleted the behaviours of my CloudFront and test the solution of Amit but nothing change, the prompt doesn't show up.
Ok I've found a solution.
Go to your Cloudfront behaviors and add the next ones where the webauth hit:
Accept-Language
Accept-Encoding
Authorization
Solution thanks to https://medium.com/#omkar.sonawane/amazon-cloudfront-http-request-headers-authorization-header-22393c624da9
I want to grant public access to a hosted Website (nginx) and exclude a specific IP-Address range (123.456) from accessing it.
To say it simple: Every access from the IP-Range 123.456 should be restricted by promting for Username/Password. Thats what I want to have.
Here my .htaccess.
AuthType Basic
AuthName "Go away!"
AuthUserFile /home/www/path-to-my/.htpasswd
Require valid-user
Order Allow,Deny
Allow from all
Deny from 123.456
Satisfy any
What I get when I am using it:
Public access successful
Access from the excluded IP-Range = Timeout
As fas as I know .htaccess files are only for apache web server and not nginx.
Yo'll need to convert the rules with a converter or do it yourself.
In your case:
# nginx configuration
auth_basic "Go away!";
auth_basic_user_file /home/www/path-to-my/.htpasswd;
deny 123.456;
satisfy any;
The configuration directives are quite similar, but they are different.
I am realy wonder why in .htaccess has those code bellow, can tell me what is this code?
<Files 403.shtml>
order allow, deny
allow from all
</Files>
deny from 212.92.53.18
It is not definitely malware.
At least, not in the sense it's intended for malicious reasons...
In the case you are using cpanel and you have used its IP Deny Manager to block access to 212.92.53.18 then this will automatically be written to your .htaccess file with the intended purpose of blocking that IP (and any others you may wish to enter):
<Files 403.shtml>
order allow, deny
allow from all
</Files>
deny from 212.92.53.18
Do you use cpanel and if so, do you remember doing that?
Allowing the 403 to All simply prevents a loop. If you block an IP using the 'deny from' method, then serving of the 403 to that IP would also get blocked, creating a loop. Allowing the specific 403 file to ALL, will override the block -- of serving the 403 to that specific IP -- that otherwise would have occurred. That prevents a loop.
<Files 403.shtml>
order allow, deny
allow from all
</Files>
I used it myself on an old domain. It simply says "allow anyone to access the file named 403.shtml"; which is the forbidden access error. Of course, you would use this usually if you created a custom 403.shtml page.
The denied IP in this case would not see the custom 403.shtml and instead would get a White-screen-of-death.
So this is not, in any way shape or form, malware related.
UPDATE: This answer was based on speculation using the facts provided when it was originally posted. The overall consensus seems to be this modification of the .htaccess file is most likely the result of using server management software such as CPanel so it’s not—on its own—an indication of malware infection.
The contents of that .htaccess are a bit odd.
<Files 403.shtml>
order allow, deny
allow from all
</Files>
deny from 212.92.53.18
The <Files 403.shtml> part refers to the 403.shtml file and it seems to be allowing a custom 403: Forbidden response (assumption based on file naming) .shtml file to be sent. The order allow, deny and related allow from all explain it to me. It seems like the site is blocking all traffic in some way but wants that 403.shtml to come through?
But the deny from 212.92.53.18 is quite specific & odd as a result. That is basically blocking any/all access from 212.92.53.18.
Now typing that out it seems like the .htaccess is set to explicitly deny access from address 212.92.53.18 which would send a 403 response code, and the <Files 403.shtml> allows the actual 403: Forbidden htaccess page to be sent?
But still, it seems odd for a directive to block traffic from one single IP address would be in an .htaccess file like that.
EDIT: Did a Google search for <Files 403.shtml>—because if you know Apache configs, that is a highly odd directive—and it seems like this might be part of some malware? Look at this page as well as this page and this other page.
Seems like this is part of a definite XSS backdoor? Perhaps the .htaccess is in a malware directory, and the deny from 212.92.53.18 is denying the infected server from accessing itself?
ANOTHER EDIT: Okay, putting on my thinking cap—as well as personal experience with web malware—and looking at the specificity of the deny from 212.92.53.18 I think I know what the deal is. This is part of a malware infection. But I bet that 212.92.53.18 is a node on a bonnet because you can curl -I it & visit it in a browser & it seems to be an active server. Most client IP addresses just won’t do that; who has a web server exposed on a basic ISP connection, right? Unless the machine is infected. So the 403.shtml is not actually a real 403: Forbidden page but actually part of the malware. Meaning, a connection being made FROM 212.92.53.18 would trigger 403.shtml—which is a server side include HTML file—that could be used for unauthorized access. I mean, when has anyone in 2014 last seen active .shtml files on legit servers, right? It’s all PHP, Python, Java or Ruby nowadays.
This?
<Files 403.shtml>
order allow,deny
allow from all
</Files>
deny from xx.xx.xx.xx
Hacker? Backdoor? Malware? Ukraninian DOS attack?
Of course it IS NOT. It's nothing of the sort.
It is automatically generated by cPanel, when the "IP Blocker" is used.
cPanel writes it to your .htaccess file
The 'deny from' is simply the IP specified when using the cPanel IP Blocker tool. cPanel is clever enough to know a little more is needed than just a simple 'deny' IP4 entry.
Probably it's terrorific hack and malware. Ukraine/Russian/Indonesian hackers. On july 2016 they have attacked a lot of sites with Prestashop with a vulnerability on image file uploads. They upload that 403.shtml to the root and then they destroy the server and files. I have checked that my web is on their web page that inform hacked websites. They block some nights your access to the web with a DDOS attack to get the pass of mysql and ftp. In prestashop you have to upload urgent to 1.6.1.16 or upload some protection files. Unfortunately, I have do that, but they don't stop and try again blocking my webshop.
The only another option is that you put block ip on cpanel, but the trick is what Giacomo1968 says in their answer. Congratulations.
I'm working in a password protected directory. "Quicktime" + "Safari" + "AuthType Basic" are doing there best to challenge me (and winning). I've managed to implement a solution via htaccess but I would like to improve the security.
I now have a secure folder with basically public .mov files inside.
I've implemented:
AuthUserFile /var/www/ht/.htpasswdblabla
AuthName Protected
AuthType Basic
require valid-user
Options +FollowSymlinks
RewriteEngine on
<FilesMatch mov>
Satisfy any
order allow,deny
allow from all
</FilesMatch>
What I would like to do is only "satisfy any..." based on a relative request and "require valid-user" for any fully qualified/absolute request. This would allow the pages quictime/video object to access the files freely, but anyone linking to the file would need a password.
../movie.mov (would satisfy...)
movie.mov (would satisfy...)
http://basedomain.com/protected_folder/movie.mov (require valid-user)
Any help or a point in the right direction would be greatly appreciated.
Help me Obi Wan Kenobi, you're my only hope.
If I understand your question correctly, this is not possible. It is possible to write relative links into your code, but the browser is always making an absolute request so it is not possible for Apache to differentiate a relative link from any other.
You might look into allow/deny based on the request referrer. I am not sure how reliable that is, and it could be easily spoofed...but it might prevent casual attempts.
Problem is similar to trying to prevent others from deep-linking your images. There are different strategies, but often more trouble than they are worth.
I'd like to allow my friend to upload some photos for me over FTP to my server (shared host). It's a trusted friend but I'd still like to block the execution of any php or similar scripts etc.
How can I use .htaccess (in a directory above the one I allow FTP to acces) to block everything except a list of approved extensions (images) and disallow htaccess (to prevent any further modifications)?
Does such method still have security risks?
Thanks!
You should be able to use
<FilesMatch ".+">
Order Deny,Allow
Deny From All
Allow From localhost # OR WHATEVER HERE
</FilesMatch>
<FilesMatch "\.(jpg|gif|stuff)$">
Order Deny,Allow
Allow From All
</FilesMatch>
EDIT
For preventing further modifications to htaccess, you need to set filesystem permissions accordingly (aka OS dependent), since you are most likely to give your friend full FTP access (including delete/overwrite/append).