I have an Apache site where all URLs that points to a file without an extension reads as a .php file. I put those entries in the .htaccess file, and allowed it inside the httpd.conf file.
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule !\. - [H=application/x-httpd-php]
It works great.
Now I add authentification to the website.
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
It only works if I comment out my RewriteEngine code.
One will work without the other, but not together. I've read a bit about the REMOTE_USER variable, but failed at some attempts.
Any recommendations to solve this?
Thanks
Related
I have one page on my root folder called export.php. Now I don't want to give access to this page to all the users.
What I am trying to achieve, If any user tries to access export.php page then one alert will display and it will ask for the username and password. Once login details are correct then the page will be accessible. I tried some code on htaccess.
Now I have two issues,
1) I am getting alert on all the pages. How do I set only for the export.php page?
2) After entering the username and password I am getting a server error.
htaccess
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^\.]+)$ $1.php [NC,L]
AuthType Basic
AuthName "Access to the Hidden Files"
AuthUserFile 'http://localhost:8080/example/.htpassword'
Require valid-user
Solution.
First I found the path using
<?php echo $_SERVER['DOCUMENT_ROOT']; ?>
Output: /opt/lampp/htdocs/example/
then I added path in htaccess file
SetEnvIfNoCase Request_URI /export SECURED
AuthName "Access to the Hidden Files"
AuthType Basic
AuthUserFile "/opt/lampp/htdocs/example/.htpasswd"
AuthGroupFile /
Require valid-user
Satisfy any
Order Allow,Deny
Allow from all
Deny from env=SECURED
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^\.]+)$ $1.php [NC,L]
Rewrite all to router.php and then rewrite from php (small mvc for example https://github.com/breakermind/Tronix).
Better solution, check if the user has permissions in php file:
<?php
// User field from users table (add to session when logging)
if($_SESSION['user']['allow_export'] == 9 && isIpAddressAllowedFunc($_SERVER['REMOTE_ADDR'])){
// show content
}else{
// Redirect or log out user
header('Location: index.php');
exit;
}
?>
I have a page in Wordpress theme_directory/page-rsvp.php that i need password protected by .htaccess. I'm developing this locally using MAMP PRO.
I have an .htaccess and .htpasswd file in the theme_directory. I have the following in the .htaccess file but it's not working. Whenever I go to localhost:8888/site/rsvp the authentication prompt doesn't show up.
<Files “page-rsvp.php”>
AuthName "Username and password required"
AuthUserFile ./.htpasswd
Require valid-user
AuthType Basic
</Files>
There is of course the .htaccess file in the root of the wordpress install that looks like this:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /thepowerfulnow/
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /thepowerfulnow/index.php [L]
</IfModule>
# END WordPress
How do I get this to work using only the first .htaccess file (the one in the theme_directory)? I need to have this theme be modular. I'm very new to .htaccess files. Thank you all!
You've added the authentication to your theme directory, so it'll work only if you access your theme file directly, using a URL like this:
http://localhost:8888/site/wp-content/themes/theme_directory/page-rsvp.php
If you want to restrict the access to your page URL (e.g. /site/rsvp), you need to use a different rule. You can add the following lines to the end of your main .htaccess file, that in the WordPress root dir.
# Set an env variable "auth" if the URI starts with "/site/rsvp"
SetEnvIf Request_URI ^/site/rsvp auth=1
AuthName "User and password required"
AuthType Basic
AuthUserFile "./.htpasswd"
# First, allow anyone
Order Allow,Deny
Satisfy any
Allow from all
Require valid-user
# Then, deny only if auth is required
Deny from env=auth
Remember to keep a copy of .htpasswd file into the same directory or set the path to that file using the AuthUserFile directive.
Alternative solution
My original answer used a <Location> directive to filter the URL to restrict, but it do not work in .htaccess files. Only under server config or a virtual host. Check the Context here: http://httpd.apache.org/docs/2.2/mod/core.html#location
If you want to use the restriction rule as below, and you have access in the server to do so, you need to add it to some of those contexts (server config or virtual host). Apache's config files are usually in the /etc/httpd or /etc/apache2 directories.
<Location "/site/rsvp"> # Where /site/rsvp is the URL you want to restrict
AuthName "Username and password required"
AuthUserFile /path/to/.htpasswd
Require valid-user
AuthType Basic
</Location>
I met some trouble with my website (www.barbarian-strongman28.fr).
I set some url rewriting using this .htaccess which is in the main public folder of my server (called www)
.htaccess:
Options +FollowSymlinks
RewriteEngine On
ErrorDocument 404 /index.php?p=404
# Pages with the PHP p= parameter
RewriteRule ^([^/]*)/([^/]*)\.html$ /index.php?p=$1&id=$2 [L]
RewriteRule ^([^/]*)\.html$ /index.php?p=$1 [L]
I have a folder called admin that I want to protect.
So I set this .htaccess
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /htdocs/admin/.htpasswd
AuthGroupFile /dev/null
require valid-user
I've uploaded this file in the folder that I want to protect
The trouble I have is that the website also require an authentification even if I am not in the directory protected.
Any kind of help will be much appreciated.
I'm guessing your .htaccess file is in the main directory of your server. That's your problem:
"Also note that if you place this htaccess file in your root directory, it will password protect your entire site, which probably isn't your exact goal."
(from http://www.javascriptkit.com/howto/htaccess3.shtml)
So the solution is simple: put the .htaccess file in the directory you want to protect. You should also make sure of a few things (though they seem ok in your script):
That the paths to all the files are server paths not URLs (you've done this);
That the .htpasswd file is in a secure location
That the .htpasswd file is in the format username:password, with the password encoded - here's a tool for creating .htpasswd files if you need it.
Hope this helps.
Let's consider the folder www.mydomain.com/exemple protected with the following .htaccess:
.htaccess
AuthUserFile /root/FTPname/www/.htpasswd
AuthGroupFile /dev/null
AuthName "Restricted Access"
AuthType Basic
require valid-user
I want to allow the access to the exemple folder only if a user has a specific cookie, or I raise an error (with the following [F] flag). Then I implemented the following code:
.htaccess
RewriteEngine On
RewriteCond %{HTTP_COOKIE} !CookieName=CookieValue
RewriteRule .* - [F,L]
AuthUserFile /root/FTPname/www/.htpasswd
AuthGroupFile /dev/null
AuthName "Restricted Access"
AuthType Basic
require valid-user
The problem is that when i load the exemple folder without the cookie, it goes through the authentification process first...I would like to do raise the error first. Anyone knows?
Try "Satisfy any" with a new environment variable. Two techniques are shown here:
.htaccess basic auth by virtual host? One uses SetEnvIf, the other uses a RewriteRule to set the variable. Since SetEnvIf cannot detect cookies, you will need RewriteRule. But I found on my shared hosting platform that RewriteRule could not play with "Satisfy any." If it works for you, it will look something like:
RewriteEngine On
RewriteCond %{HTTP_COOKIE} !CookieName=CookieValue
RewriteRule .* - [L,E=DENY:1]
AuthUserFile /root/FTPname/www/.htpasswd
AuthGroupFile /dev/null
AuthName "Restricted Access"
AuthType Basic
Order Deny,Allow
Satisfy any
Deny from all
Require valid-user
Allow from env=!DENY
See also: htaccess exclude one url from Basic Auth
Watch out that the page you are protecting does not include images, stylesheets, etc., that trigger an authentication request when the page itself does not.
how properly can I hide .php extensions form my url : example:
www.example.com/index.php
to
www.example.com/index
My .htaccess file content is:
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}\.php -f
RewriteRule ^(.*)$ $1.php
And it is not working although phpinfo() shows that mod_rewrite is in "Loaded Modules" section. What's wrong here?
When I tried to set Authentication:
AuthUserFile /usr/home/vesa/.htpasswd
AuthGroupFile /dev/null
AuthName Somewhere Neat
AuthType Basic
<Limit GET POST>
require user vesa
</Limit>
enter code here
It asked for username and password. Therefore I assume that .htaccess files are processed by server. Right?
When I try to add
Options +FollowSymlinks
I get 500 Internal Server Error
When I add RewriteRule (.*)\.asp $1.php it successfully changes any .asp extension to .php
When I use RewriteRule it just redirects my browser to another file. So in case if I will try to hide extension it should redirect me to file with no extension - in which case I will get error because there is no such file exists. What is the simplest way to make mod_rewrite "hide" (write url filenames without extension .php) while linking to .php files?
Is your PHP file sending a redirect to force the user to index.php? Use something like firebug to see what's going on in the headers.
Probably, there is some configuration set that allows (for .htaccess file) to redirect to any file, it is basically rewrite URL, but in the same time it is not allowing Options +FollowSymlinks. I'm not familiar with php config file, but i am sure system administrators knows what is going on.