I have an simple .htaccess and a .passwd file for a password protection of an folder under apache2: /var/www/test
Works fine if i want to connect to example.com/test.
But in the test folder is also a download.exe. If i connect to example.com/test/download.exe i can download the file without being asked for a username and a password.
How can i change that? The .htaccess file:
AuthType Basic
AuthName "protected area"
AuthUserFile /var/www/test/.passwd
Require valid-user
Try a different browser or a different computer to access example.com/test/download.exe before accessing example.com/test. Browsers you are using can have cached the downloaded file or the credentials used.
Related
I'm setting up basic http authentication for my dev site with .htaccess and .htpasswd.
First, I created my .htpasswd user and password (https://shop.alterlinks.com/htpasswd/htpasswd.php MD5).
Then, my htaccess file with some basic configurations.
I placed both my .htaccess and .htpasswd files in my php_site_project folder (I know it's not safe, but I did it for testing first the authentication).
Also in my apache configuration file, I have AllowOverride All
AuthuserFile /home/my_user/public_html/php_site_project/.htpasswd
AuthName "Protected Area"
AuthType Basic
AuthGroupFile /dev/null
Require user admin
After all those configurations, I cleared my cache and tested on Chrome, it keeps asking me for user and password over and over... On Firefox asks just once but doesn't let me enter either.
By the way, I don't have logs on this problem.
Here's my .htaccess file:
AuthType Basic
AuthName "LOG IN"
AuthUserFile .htpasswd
Require valid-user
After logging in, I get a 500 error. If I clear the .htaccess file, it works fine.
Any ideas?
I think you have to write the full path to your .htpasswd (on linux: /path/to/.htpasswd)
From http://weavervsworld.com/docs/other/passprotect.html
Troubleshooting
Make sure that the path specified in AuthUserFile is the correct full
path. This is a major cause of problems. If Apache cannot find the
.htpasswd file, then all attempts will fail.
Make sure the permissions
on the .htaccess and .htpasswd files are set so that Apache can read
them. chmod 0644 .htaccess chmod 0644 .htpasswd
Other issues may be
out of your control. Web administrators can lock down Apache so that
it ignores all .htaccess files it encounters. This can be achieved
with an AllowOverride None directive and option on the
ServerRoot/DocumentRoot directories. If this is the case (.htaccess
not allowed) you will have to kindly ask your web administrator to
allow .htaccess files with authorization directives in your personal
web directory. This can be achieved with AllowOverride AuthConfig
directive and option.
Important : Full path to .htpasswd refers to the real full path if you are using terminal than use
maddy#maddy:/var/www/html/project_name$ pwd
/var/www/html/project_name
File In /var/www/html/project_name/.htaccess
AuthType Basic
AuthName "My restricted Area"
AuthUserFile /var/www/html/project_name/.htpasswd
Require valid-user
File In /var/www/html/project_name/.htpasswd
someuser:$apr1$oi0zg2sf$jTagKK2S7StjC0WSVJLUH0
To generate user: password combination refer
1) http://www.htaccesstools.com/htpasswd-generator/
2) https://www.web2generators.com/apache-tools/htpasswd-generator
Not tested
https://www.gaslampmedia.com/generate-htaccess-password-htpasswd-from-the-command-line/
Since this question scores high in Google, I thought I'd append steven's answer a bit:
Full path to .htpasswd here refers to the real full path, not the path you see via ftp. For example, when I login to my shared hosting account with ftp, it seems my web root lives in /public_html
However that's just because how the ftp server is set up. The actual path to my web root is /home/username/public_html and setting the AuthUserFile keeping that in mind resolved the issue, at least for me.
I found the missing piece of information on the Webmasters site after some more googling.
If you use php and get Error - 500
A good shot is:
create a php file 'info.php' with content:
<?php
phpinfo();
Enter in this url in your browser
In Apache Environment
Look for DOCUMENT_ROOT
Get this content Ex: 'C:/wamp/www/'
And update your .htaccess:
AuthUserFile 'C:/wamp/www/.htpasswd'
Note: The question contains "After logging in" and the answers are not for that case.
I've ran into the same issue:
set up the authentication just as in the question
open the site in a browser
the login window pops up, I authenticate successfully
all subsequent requests result in 500
the access log shows the response was 500 but nothing in the error log
In this case the parent directory of the htpasswd file was not readable to the user running Apache. Apparently the first authentication is served using root credentials and subsequent ones (checking if the auth is still correct?) done by the user running Apache.
I need to password protect a directory with .htaccess, which I have successfully done. But the front end of the website was programmed to link to images within this password protected directory (not by me), but when a webpage tries to access those images it prompts the user to login.
Is it possible to password protect that directory, but allow any access to any image file type like *.jpg and *.gif?
My current .htaccess code is this:
AuthName "Secure Area"
AuthUserFile "/home/siteuser/.htpasswds/public_html/admin/passwd"
AuthType Basic
require valid-user
Thanks for any help!
AuthName "Secure Area"
AuthUserFile "/home/siteuser/.htpasswds/public_html/admin/passwd"
AuthType Basic
require valid-user
<FilesMatch "\.(png|jpe?g|gif)$">
Satisfy Any
Allow from all
</FilesMatch>
Edit to incorporate Shef's improvement
You could check all the different options of configuration .htaccess gives you in the following site:
Stupid htaccess Tricks
Did you try put it inside Filematch?
<FilesMatch "^.*(png|jpe?g|gif)$">
AuthName "Secure Area"
AuthUserFile "/home/siteuser/.htpasswds/public_html/admin/passwd"
AuthType Basic
require valid-user
</FilesMatch>
What you could try is to write an image display proxy:
Keep the directory like you have it now, with password protection.
On the .htaccess on the root of the website where the images are linked, add a Rewrite rule for those image types you want. This rule should redirect the call to a PHP handler script.
That script should evaluate the path that was being requested, load the file from the filesystem, deduct its header and send that to the client using header(), followed by the image file's content echo file_get_contents()should do.
PHP is not affected by the .htaccess so it should be able to read the file you need and proxy it to the end user.
how i can protect folder which includes uploaded files?
i have folder include all files which uploaded by me, i want if user try to change url or pass to show all files, browser redirect him to another page like this example
www.tet.php/folder/text.doc
if user try to write (www.tet.php/folder) to show all files redirect him automatically to www.tet.php
or any one please tell me tricky way to disappear /folder/
I don't know php but one solution I am thinking about and don't know if php can handle or not:
You can put your “UsersUploads” folder outside the website directory, so if your website exist on “c:\website\example.com” you can put the “UsersUploads” there “c:\UsersUploads”, Like that Your web server has no control over this folder and its files, And your website code will still have access to this directory as a normal physical path.
If you use Apache, you have 2 solutions:
Move your uploaded_files folder out
of your DocumentRoot (the root of the
folders that are accessible from the
web).
Use an .htaccess file in that folder
to block access to this folder.
A little example of an .htaccess using an authentication to access to the folder:
AuthName "Page d'administration protégée"
AuthType Basic
AuthUserFile "/var/www/uploadedfiles/.htpasswd"
Require valid-user
If you use IIS then you have just to deny access to that folder for everyone through your IIS Administration console. You also can deny any access except for certain IP adresses or adressranges.
Just to expand on #Clement's answer to include the part about redirecting to a page on failure:
AuthName "Page d'administration protégée"
AuthType Basic
AuthUserFile "/var/www/uploadedfiles/.htpasswd"
Require valid-user
ErrorDocument 403 www.urlToRedirectTo.com
Also, .htpasswd should be placed outside of the web root, and should simply contain username:pasword. The password should be hashed. You can easily find utilities online to create these files for you.
I used .htaccess and .htpasswd to restrict the admin folder which is located at root/admin
for that i used the following
.htaccess file
AuthName "Alertalert"
AuthType Basic
AuthUserFile http://alertalert.freetzi.com/admin/.htpasswd
require valid-user
.htpasswd file
rajasekar:$apr1$0yd92n1r$McIxIiQXPRF1u3gRBNRNc1
the .htaccess and .htpasswd file is located inside the admin folder.
When i try to access admin folder, it asks for username and password and thats ok. if I give correct username and password, its not accepting and so prompting again.
Check the documentation for the AuthUserFile directive. Its argument should be the path to the htpasswd file, not a URL.
do you have any code in .htacess that prevents viewing of .htpasswd? Because you are going though HTTP, it may not be accessible. What about using the system path?
What about something like:
AuthUserFile /var/admin/.htpasswd