I have a domain, mattpotts.com and have set up a sub-domain dev.mattpotts.com for me to develop on and will then copy the files to the normal domain when they're ready to go.
My directory structure is as follows and dev.mattpotts.com points to dev/
+-public_html/
+-project1/
+-project2/
+-project3/
+-dev/
+-project1
+-project2
+-project3
I basically want to be able to go from http://mattpotts.com/project1 to https://dev.mattpotts.com/project1 by adding dev..
I have the following .htaccess in dev/ and it works, all this needs to do is force https.
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} dev
RewriteRule ^(.*)$ https://dev.mattpotts.com$1 [R,L]
I want to force https so that I can securely use http auth on the directory. However, when I combine it with the following rules, it doesn't work. I have my .htpasswd set up but I've not even had the login form show up yet.
AuthType Basic
AuthName "Dev Protected Area"
AuthUserFile .htpasswd
Require valid-user
How can I successfully combine the to set of .htaccess rules?
Edit, very strange things are happening!
https://dev.mattpotts.com/project1/ displays 'hello!' from non dev version of site (note https)
http://dev.mattpotts.com/project1/ displays 'hello dev!' (as desired) from dev version. What's going on here?!
You've told us where your .htaccess file is, but you haven't told us where your .htpasswd file is. According to the Apache documentation on AuthUserFile:
Syntax: AuthUserFile file-path
File-path is the path to the user
file. If it is not absolute (i.e., if
it doesn't begin with a slash), it is
treated as relative to the ServerRoot.
So in other words, it is looking for the .htpasswd in somewhere like /etc/apache2/.htpasswd. So either move your .htpasswd file there, or make your directive contain an absolute path to the file, e.g.:
AuthType Basic
AuthName "Dev Protected Area"
AuthUserFile /home/mattpots.com/public_html/dev/.htpasswd
Require valid-user
However, for security reasons, I highly recommend keeping your .htpasswd file outside of your document root.
These issues should be independent of each other: do I understand correctly that the "force HTTPS" part works?
That said, AuthUserFile .htpasswd may be looking for .htpasswd in the wrong place. The easiest fix is to put the full path and name there, e.g. AuthUserFile /home/matt/www/public_html/dev/.htpasswd (or wherever you have the dev directory).
Related
I have set up an FTP connection via ShareX to upload my screenshots to my own ftp.
So my screenshots are accessible at the url 'screenshots.mydomain.fr/myscreenshothash.png'.
And that's cool!
But according to the url 'screenshots.mydomain.fr' you can see the list of all my screenshots (the page Index of). And I'd like to block this page via an htpasswd without blocking access to the files ('screenshots.mydomain.fr/myscreenshothash.png')
What can I do?
My current .htaccess
AuthUserFile /home/XXL /.htpasswd
AuthGroupFile /dev/null
AuthName "Accès Restreint"
AuthType Basic
require valid-user
For the moment I have added a
Options -Indexes
in my htaccess to prevent access to the index of page and I made a listing of my files in a index.php files placed in a subfolder (in which I put the htaccess with htpasswd)
I have the following in my .htaccess file:
AuthType Basic
AuthName "Secured"
AuthUserFile ../private/passwd
Require valid-user
Order allow,deny
Allow from env=unauthenticated
Satisfy any
The problem from the error.log is that Apache is saying "Could not open password file: /etc/apache2/passwd" - which is obviously my Apache root.
How would I specify a relative reference to the .htaccess file for a path instead?
And probably very important, can this be done in the .htaccess file only?
If so, answering question #2 would make the solution much more portable.
Doc: AuthUserFile
The AuthUserFile directive sets the name of a textual file containing the list of users and passwords for user authentication. File-path is the path to the user file. If it is not absolute, it is treated as relative to the ServerRoot.
So I assume that your server root is in /etc/apache2/ so your relative URL: ./passwd will be relative to the root, and not where your htaccess file is at. Thus, it's not possible to make it portable and relative to where you place the htaccess.
Additionally, the documentation also says:
Security
Make sure that the AuthUserFile is stored outside the document tree of the web-server. Do not put it in the directory that it protects. Otherwise, clients may be able to download the AuthUserFile.
So it's a bad idea to keep your password file in the same place that you serve your content.
I would like to use a .htaccess file to protect my symfony2 website while developing it.
I added the following line at the beginning of my .htaccess located in /web and a .htpasswd file just next with my password.
AuthName "DĂ©veloppement"
AuthType Basic
AuthUserFile ".htpasswd"
Require valid-user
I have a Error 500 when I try to access my website. Is it possible to use a htaccess in my case ? What should I use if it is not posible ?
Assuming the 500 error is caused by these directives, the most likely reason is the path to .htpasswd. AuthUserFile says
The AuthUserFile directive sets the name of a textual file containing the list of users and passwords for user authentication. File-path is the path to the user file. If it is not absolute, it is treated as relative to the ServerRoot.
So either use an absolute path (e.g. /var/www/.htpasswd) or add the complete path starting from your document root (e.g. web/.htpasswd).
Also note the last section in AuthUserFile
Security
Make sure that the AuthUserFile is stored outside the document tree of the web-server. Do not put it in the directory that it protects. Otherwise, clients may be able to download the AuthUserFile.
This means, store the auth file somewhere else, like /etc/apache2/htpasswd.
In my CakePHP app, I have a directory of files which I want to allow direct access to with a username/password. For reasons that are overly complicated, placing the directory inside the /webroot folder is not an option. My folder is located here:
/app/parent_folder/folder_full_of_files
So I want to be able to access files directly like this:
http://mysite.com/app/parent_folder/folder_full_of_files/some_file.pdf
I think I need to modify the .htaccess file in the root, and also add another .htaccess file and .htpasswd file in the folder_full_of_files
I have already found this post which asks a similar question... but I can't translate it to my application.
How do I need to modify the root .htaccess file?
What should be in the new .htaccess file. Here's what I've tried, but just results in 500 error...
AuthType Basic
AuthName "restricted area"
AuthUserFile /bla/bla/mysite/app/parent_folder/folder_full_of_files/.htpasswd
require valid-user
What is the correct way to encrypt the password in the .htaccess file?
I got this to work. I had to do a couple things...
I added this to the .htaccess file in root:
RewriteCond %{REQUEST_URI} !^/app/parent_folder/folder_full_of_files
As #Jon pointed out, my original version above had a mistake ([L]).
I also have an .htaccess file in my /app directory. This might be a quirk about my installation because it is not 100% standard. I can't remember if it's there by default, so I'm mentioning it just in case. IF you don't have one in /app skip this step.
I added this to an .htaccess file in the /folder_full_of_files:
AuthType Basic
AuthName "restricted area"
AuthUserFile /bla/bla/mysite/.htpasswd
require valid-user
Make sure the path after AuthUserFile is a fully-qualified path to the .htpasswd file (see next step).
Create the actual .htpasswd file. It's not supposed to be under the document root, but mine is. I think the most important thing is that it's not inside /webroot. I used this command from the terminal and it created the file:
htpasswd -c /path/where/it/should/go/.htpasswd whatever_username
It asks for a plain text password which gets encrypted and written into the file.
That's it. One annoying "gotcha" is that the path in the .htaccess to the auth file must be absolute, which means it will probably have to be edited when moving between local testing and production (unless the two environments are exactly the same). It would be less clunky if relative paths were allowed.
You don't need to modify the htaccess file in your document root at all
Make sure you have AllowOverride AuthConfig or AllowOverride All configured for your /app/parent_folder/folder_full_of_files/ directory. Make sure that the directory also has a properly generated htpasswd file (named .htpasswd). You need to use the htpasswd program to generate it, or any number of online generators.
I have a main site and a subdomain test site.
On the main site I have a folder previously used for testing...
/httpdocs/test/
Within that I have a htaccess file
AuthUserFile /var/www/vhosts/myurl.com/private/.htpasswd
AuthType Basic
AuthName "Login"
Require valid-user
And an associated .htpasswd in the location specified. This works perfectly.
However, using exactly the same .htaccess for my new subdomain does not work
i.e. putting the .htaccess file at
/subdomains/tests/httpdocs/
or any subdirectory.
Any suggestions why this might be? I get the login screen but it won't accept any correct username/password.
Thanks,
Nick