I have an Apache2 site set up on a RPI3 with basic authentication. It worked great since I am really the only user. I am now using IFTTT to automate a few items via webhooks to use a GET request to a couple .php files I have in the www/html folder. This works just fine, but where I have the issue is having to set the webhook with my username: password since I have an authenticated site. I have been using a dynamic dns server for this access my site via username:password#mysite:80/file.php. Is there a way to create a separate folder with a username and password that can only access that folder and not the entire www/html directory? I don't like the fact that my main login is sent by IFTTT. If possible I would like it to be NEWUSER:PASSWORD#mysite:80/limited/file.php.
I have tried creating a this folder and adding its access to the apache2.conf, 000sites-enabled. I have also tried adding its own .htaccess and .htpasswd file in the "limited" folder with a different user.
Is this possible to do?
Thanks
I ended up getting it to work by removing the entries for the sub directory "limited" folder from the Apache2.config and 000sites-enabled. I also just kept the 2 files for .htpasswd and .htaccess in the "limited" folder.
.htpasswd :
User:$sjjnuinusencryptedpasswordijkmi22993
.htaccess :
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /var/www/html/limited/.htpasswd
Hope this helps someone.
Related
I'm absolutely unknowledgeable of Apache .htaccess language and to be frank, I presently don't have time to look into it.
I have divided my website to following directories:
/My-Website
/admin
/public
To me, it seems like a good practice to separate the administration portal from the public website with distinctive folders. Admin is where the administration updates the contents and public is, well, public.
However, this way, I face two key problems:
I have somehow configured .htaccess to redirect all URLs to /public directory. But I want an exception to the /admin directory. Meaning that when the user enters mywebsite.com, it should redirect to /public automatically but not when the user enters mywebsite.com/admin. I'm not sure if .htaccess would have the solution or PHP, but am welcomed to both.
In my admin directory, I have JS files and other xml lying around in the admin directory. Did a test, found out that the users can access all the files in the admin directory by explicitly going to for example: mywebsite.com/admin/may_be_sensitive.xml without authorization. How can I tackle this?
I'm quite open to suggestions even if it means that I need to re-organize my entire website in a different structure.
You don't need any redirection.
/public should be the root, so the public portion of your website would be visible at https://example.com
/admin should be a subdirectory off public (your webroot) like https://example.com/admin, and should be secured with an appropriate authentication process like basic auth, a one-time token or some other form of secure auth.
It's possible to secure the admin folder with a .htaccess file but it's more secure to do in the server configuration file if you have access to it.
From: http://httpd.apache.org/docs/current/howto/auth.html
<Directory "/usr/local/apache/htdocs/secret">
AuthType Basic
AuthName "Restricted Files"
AuthUserFile "/usr/local/apache/passwd/passwords"
</Directory>
The password file is created with the htpasswd utility.
I am trying to password protect my PrestaShop site and I created the .htaccess and .htpasswd files when I upload them to the root directory and the /dev folder respectively everything seems to work, until I enter the username and password, at which point the page reloads and displays the website with NO CSS or images. Please someone HELP!
I am unable to keep the files up as it is conflicting with the client QA-ing, but I need to protect the site quickly to hide it from some disgruntled workers.
I greatly appreciate all replies!!! Please just ask if more info is required
You should only need to upload .htaccess and .htpasswd to the root dir. I'm not sure why you're adding it to your /dev directory as well.
Your .htaccess should look something like this:
AuthUserFile /webhost/path/root/.htpasswd
AuthType Basic
AuthName "My Files"
Require valid-user
More info: http://weavervsworld.com/docs/other/passprotect.html
I have a need to password protect an entire website. I am developing on a live URL (don't ask me why -_- clients...) and I want to be able to develop the site but access it using a username and password so the general public won't be able to see the site being modified.
I've tried to use a .htaccess and .htpasswd file in the same directory.
Here are the contents of it
AuthUserFile /htdocs/.htpasswd
AuthGroupFile /dev/null
AuthName "Development space"
AuthType Basic
Require development
and the .htpasswd file contains the user development:encryptedpassword
It doesn't appear to be working at all. The password box is generated but just carries on coming back up once I enter the credentials (I have confirmed they are correct).
Can anyone tell me where I'm going wrong?
Please note both the htpasswrd and htaccess files are currently within the htdocs directory
htdocs file permissions are drwxr-xr-x
Your Require line is wrong. It should be:
Require user development
^^^^--missing
Require can require many different things (env vars, http methods, groups, blah blah blah), so you have to say WHAT kind of thing you're requiring. You might be better off with just
Require valid-user
unless you're going to have multiple accounts in your .htpasswd and want to allow only certain ones.
how i can protect folder which includes uploaded files?
i have folder include all files which uploaded by me, i want if user try to change url or pass to show all files, browser redirect him to another page like this example
www.tet.php/folder/text.doc
if user try to write (www.tet.php/folder) to show all files redirect him automatically to www.tet.php
or any one please tell me tricky way to disappear /folder/
I don't know php but one solution I am thinking about and don't know if php can handle or not:
You can put your “UsersUploads” folder outside the website directory, so if your website exist on “c:\website\example.com” you can put the “UsersUploads” there “c:\UsersUploads”, Like that Your web server has no control over this folder and its files, And your website code will still have access to this directory as a normal physical path.
If you use Apache, you have 2 solutions:
Move your uploaded_files folder out
of your DocumentRoot (the root of the
folders that are accessible from the
web).
Use an .htaccess file in that folder
to block access to this folder.
A little example of an .htaccess using an authentication to access to the folder:
AuthName "Page d'administration protégée"
AuthType Basic
AuthUserFile "/var/www/uploadedfiles/.htpasswd"
Require valid-user
If you use IIS then you have just to deny access to that folder for everyone through your IIS Administration console. You also can deny any access except for certain IP adresses or adressranges.
Just to expand on #Clement's answer to include the part about redirecting to a page on failure:
AuthName "Page d'administration protégée"
AuthType Basic
AuthUserFile "/var/www/uploadedfiles/.htpasswd"
Require valid-user
ErrorDocument 403 www.urlToRedirectTo.com
Also, .htpasswd should be placed outside of the web root, and should simply contain username:pasword. The password should be hashed. You can easily find utilities online to create these files for you.
i want to deny access (from all non-logged in users) to all the files in a directory from the browser.
Only a logged in user can access his files in that folder. The file paths are stored in the database with the logged in user id, so that when the user logs in, he can view or download only his files.
So i dont want others (without logging in) to access the folder and files from the browser, and secondly, i want the users to be able to view only their files in the folder.
I think, Second thing i can do with some condition checks in php, but for the first one, can anyone tell me the htaccess rule to achieve ?
Thank you
dont show them the actual folder path where their files are stored.
Use a php file to fetch the downloadable content.
eg :- download.php?file=mydocument.doc
Cons :
Might be slow
No Download Resume support (I guess)
For the part of .htaccess user access you can take a look here at the .htaccess Password Generator
You can disable default directory browsing using .htaccess.
Open your .htacces file
Look for Options Indexes
If Options Indexes exists modify it
to Options -Indexes or else add
Options -Indexes as a new line
The directory browsing feature should be disable by now
There's article, which describes access control feature of Apache web server thoroughly: http://httpd.apache.org/docs/2.0/howto/auth.html
The easiest variant looks in the following way:
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /usr/local/apache/passwd/passwords
BTW, this part:
Only a logged in user can access his
files in that folder. The file paths
are stored in the database with the
logged in user id, so that when the
user logs in, he can view or download
only his files.
will require either creation of separate password files for each folder, or some additional scripting.
There are some known issues with this approach:
Basic authentication scheme sends passwords as a clear text, which is not good if your site is accessible by HTTP (not HTTPS). There's also Digest authentication type, but there were some problems with browser support
Logout operation will require browser closing
Generally, I'd recommend:
Apache built-in capabilities - for simple access control without detailed users privileges/rights configuration
Custom access control by means of some web programming tools - for authentication scheme with supposed priveleges/rights configuration. There are many web development frameworks, which provide access control feature.
thanks for your replies, between i found a code snippet that is working just fine.
I inserted the following lines in my .htaccess file:
Order deny, allow
deny from all