Hi
Is there a way to protect a folder and its contents using .htaccess file but only from external access?
Meaning: files inside the server can access the folder but if some one tries to access it directly it prompts for an user and password.
I'm using AuthType Basic already. But when an external file tries to access the image inside the protected folder, there emerges the problem.
To clarify (at least try to), what I have is one folder with many, many images and I don't want them to be accessed but I want my php scripts to have access outside the folder. Like
/index.php
/images/ -> same level of index.php
/admin/photos/ -> index.php can access the files inside this folder without restriction. something like the files has its own user and password.
There's a couple of things you can do but I think you might want to clarify your question. I think what you're asking is how you protect certain files from web access but still allow your scripts (like a PHP script) to be able to access the data.
If that's the case then you simply need to put your data files outside of the DocumentRoot. Apache will only load files that it is allowed to access but PHP, or other scripting languages can access any file anywhere (as long as the user the process executes as has the appropriate permissions)
If you really want user/password access to certain files from the web:
AuthType Basic
AuthName "My super secret folder"
AuthUserFile "/path/to/some/user_file"
require valid-user
That will restrict outside access but will not restrict any access from scripts or people/programs on the server itself.
Related
A friend wants me to implement basic file security on his site that he can look after himself.
I think the simplest option is to put a .htaccess file into the folder he wants to protect and that will redirect all requests to a php file in the root.
The php file will then check if the user is logged in and serve the file or request a fixed shared login password.
It's going ok so far except for two problems.
Firstly I can't get the htaccess file work based on the directory it is located in - I can only manage it by hard coding the directory into the htaccess file.
Secondly, I can get the php file to know the url of the file that was requested.
Any help and pointers would be great!
It sounds like what you are wanting to do can be done a little more easily with an .htpasswd setup.
You will just place this in an .htaccess of the directory you are trying to protect and all of the sub-directories will be protected as well.
AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /path/to/.htpasswd
Require valid-user
And then create an .htpasswd file and use a tool like this to generate the credentials.
Alternatively, the way you are suggesting to do it will require the use of either cookies or sessions and here is another question that should help a bit more with setting that up.
Hi.I'm new at web, and I want to create a site. I've ordered a domain name and hosting, so now I have access to storage on hosting. What have I to do to protect any folder using htpasswd?
All that I have in http folder is index.html and folder examle, that contains .htaccess and .htpasswd and example2 folder, that should be protected.
When I try to access example2 folder from browser, I get popup window, that asking me for a login and password, and when I enter it I have a 500 internal sever error
Ok, so I have the answer. It's strange that the commentators didn't undertood the error, because as I understood the 500 error has only one meaning - server can't find a file. So, communyty members again talks about everytihng they can intstead that they was asked about-_-(yes, yes, there are a lot of grammar mistakes, but you understood(I hope)).
So here are a few steps for newers, like me, that can help to protect data of your site via `.htpasswd`
Getting the correct file path
Create file in folder you need to be protected, with .php extesion, and name it, how you like. Put this code there, and save it.
<?php
echo 'Полный путь к каталогу: ';
echo $_SERVER['DOCUMENT_ROOT'];
echo '/';
?>
Visit this page via browser, there will be wrote the full path to php document you've created.
Creating .htaccess and .htpasswd files
Go to folder you need to be protected by password and create two files - .htaccess and .htpasswd. You should notice, that these files shouldn't have any extensions, and they must be named exactly with . character in the begining.
Writing to .htaccess
Put there this one
AuthUserFile /path/to/.htpasswd
AuthType Basic
AuthName "My restricted Area"
Require valid-user
Instead of /path/to/ put the path you've got earlier. That's all
Writing to .htpasswd
Go to https://www.web2generators.com/apache-tools/htpasswd-generator and fill there login and password, and it will return you encrypted login:pass combination. Open .htpasswd file and just put it there.
That's all, it should work
is there a way to deny outside access to my upload directory ?! I don't want users to access my upload directory : www.example.com/uploads
i used .htaccess in the root of my upload folder however all the links were broken
in my .htaccess :
deny from all
any solution ?
If you wish to disable directory listing, simply place 'Options -Indexes' in your htaccess.
You've applied a 'deny from all', which essentially stops ANYONE from accessing files in the directory to which it applies.
Also make sure that 'AllowOverride All' is specified in the vhost definition, otherwise you are unable to override settings via the htaccess file. That is my understanding anyway.
If you wish to disable access to the upload directory, and control which files in specific users can access, I'd recommend going through a script written in a language such as PHP. A user requests a file from the script, the script looks to see if they're allowed to view the file. IF they are, they file is displayed. IF they aren't then it is not.
References
http://www.thesitewizard.com/apache/prevent-directory-listing-htaccess.shtml
http://mathiasbynens.be/notes/apache-allowoverride-all
Is there a way to restrict the external users to access my server files..
example is when i access this dir http://puptaguig.net/evaluation/js/ it shows the 404 page(though it's not obvious) but when i tried to view control.js here http://puptaguig.net/evaluation/js/controls.js it opened up..
IndexIgnore *
<Files .htaccess>
order allow,deny
deny from all
</Files>
i just want to make these files inside my server directory to secured from outside viewing for some reasons..but how?
Best Regards..
siegheil/js? Should be siegheil/ns for sure?
You could chmod 000 and then no one would see them or access them. You can't have people accessing and not seeing them at the same time. Can't be done.
You can add below lines to your httpd.conf or. htaccess this will avoid access of your JavaScripts
<Files ~ "\.js$">
Order allow,deny
Deny from all
Satisfy All
</Files>
The only way I can think to manage this is deny access to your js files by throwing a .htaccess in the siegheil/js/ folder that says something along the lines of:
deny from all
or just simply put your code in a folder above the root document level of the site itself.
After that, you then use something like minify to retrieve the js files from the backend (PHP / some other server language side) and have the minified / obfuscated code placed in another folder or just outputted directly from the script.
With all that said, in the end, the js code must be downloaded one way or another to be run by the browser. This will make it impossible to prevent people from looking at your code and figuring out what it does if they really want to.
You were able to access http://puptaguig.net/evaluation/js/controls.js but not http://puptaguig.net/evaluation/js/ because most Apache installs prevent an anonymous user from viewing the directory contents, and only permit access to specific files in the directory.
There is no way "hide" client-side JS because without access to those files your users will not be able to run your script. As suggested by #General Redneck, you can obfuscate and minify your js using a tools like minify or uglifyJS, but those can, potentially, been un-minified (minification is still a good idea for performance reasons). Ultimately you are fighting against the "open" nature of the web. I'd suggest putting a license on your code, and keeping an open mind : )
If you really need something to be secure, try accomplishing the essential functionality (which you want to keep private) with a backend language like php or asp.net and feeding the relevant data to you JS script.
You should create an .htaccess file in the relevant directory that has
-Indexes
in it. This will prevent listing of the directory and will cause a 403 error to be raised. Your application can then handle that however it wants to display whatever you want.
What are the different approaches to securing a directory?
including an index page so contents can't be viewed
the problem with this is that people can still access the files if they know the filename they're after
including an htaccess file to deny all
this seems to be the best approach, but is there any case that an htaccess file can be passed by? are there any cases as well where htaccess is not available?
restricting folder access
this is also a nice solution, but the problem is, the folder I'm trying to secure should be viewable and writable by the program.
Are there any other ways that folder security can be done?
Best practice for Apache is to use htaccess to restrict - this only restricts from the webserver - but that should be what you need. You can add authentication into this - but for most needs to you can just deny all acess - which hides the directory completely.
Another method that can also work well with using htaccess to deny direct access would be to use htaccess in your route directory to rewrite urls. This means that a request such as /example/listItems/username/ted can be rewritten as a call to a php or other file such as:
/application/index.php?module=listItems&username=ted
The advantage of doing this is that the webserver does not give out paths to any directories so it is much more difficult for people to hack around looking for directories.
If you want to protect a directory of images you could also use htaccess to redirect to a different directory so that /images/image5.png is actually a call to :
/application/images/image5.png
You could also try not placing your protected directory under your www dir but on other "non www visible" location. If your app needs to read / write data, tell it to do it on the other location. Modify its properties so only the app has the proper rights to do so.