I want to set permission to access my beta site, but I got "Page not found" error, below is my code, how can I fix this error?
AuthUserFile /home3/mysitename/public_html/beta/.htpasswd
AuthName EnterPassword
AuthType Basic
<Limit GET POST>
require valid-user
Most rules that are in htaccess files have precedence in subfolders first. Meaning a htaccess file in your /beta/ folder will completely supercedes any rules in a parent directories.
So if you need to protect only the subfolder and not the main folder place the htaccess (or the part with the password section) in the folder you wish to protect.
By the way a better idea might be to use a subdomain for that construct.
Related
I have my .htaccess under the www folder on the server , this file contain some redirect rule nothing else.
Under the www folder , i have another folder www/admin and i want to restrict access to it with .htpasswd file and i have balanced this code into www/admin/.htaccess file :
AuthName "Access denied"
AuthUserFile /real_path_server/www/admin/.htpasswd
AuthType Basic
Require valid-user
i tested everything work fine i can't access to /admin without login and password .
The problem so , that when i go to the website ,authentification window appear , everybody can see this window and this is'nt the behavior that i look for .
i look for that authentification must be required if i want to access to websiteUrl/admin not when i want to access to websiteUrl.
www
|---admin
| |
| |----.htaccess (2)
|
|
|
|.htaccess (1)
the code in .htaccess (1)
SetEnv PHP_VER 5_4
Options +FollowSymlinks
RewriteEngine on
ErrorDocument 404 /erreur404.php
RewriteRule *******************
RewriteRule *******************
RewriteRule *******************
And in the .htaccess2
AuthName "Access denied"
AuthUserFile /real_path_server/www/admin/.htpasswd
AuthType Basic
Require valid-user
Thanks for help
Apache .htaccess files "cascade". Which means all rules set by an .htaccess file in a parent directory will be applied to all sub-directories. You cannot remove a rule in a sub-directory by adding a .htaccess file without that rule, but you can overwrite it by adding that same rule with another value in a sub-directory's .htaccess file.
I'm certain there is another Apache configuration that you might not be able to see, or have access to. Are you using a shared web-hosting server? Is this your own local server? A VPS/Dedicated server where you have root access?
If you are on a shared server, I recommend calling their tech support as they would likely have intimate knowledge of their primary apache configurations.
Also just a quick tip. I noticed in your htaccess configurations above that you have your .htpasswd file in a publicly available directory. It is recommended that you put your .htpasswd files in a non public (non web-accessible) directory, and write the full path to the .htpasswd file in your .htaccess file.
Typically, this is not an issue and not necessary since most web-hosting service providers will add a rule in their "master" apache config file to not allow access (from the web) to any files that begin with .ht*. But not all of them do, so just be careful with that ;)
For example, using your current configuration, I might be able to type this directly in my address bar and see the contents of your .htpasswd file like this - http://your-site.com/admin/.htpasswd - if your web hosting service provider has not taken care of this contingency, it will literally spit out the contents of your .htpasswd file to my screen, where I can see the usernames available, and their obfuscated passwords. It's just a matter of security. Hope this helps!
By default htaccess are folder based. Double check if there is a .htaccess into tje root of the webserver
I want to ignore folders on my website, but as I often create subfolders on it, I want to ignore subfolders too.
Here's my .htaccess :
AuthType Basic
AuthName "Auth Required"
AuthUserFile ".htpasswd location"
Require valid-user
SetEnvIf Request_URI "(folder I want to ignore for everyone)$" allow
Order allow,deny
Allow from env=allow
# allow open access to entire site for those IPs:
allow from xx.xx.xxx.xx.xxx
Satisfy any
When I go to a subfolder, it keep asking for a login and password, but when I click on "Cancel" to cancel that login, everything goes fine and no other box is shown.
All I want is to not have this box shown.
Thanks !
.htaccess settings ALWAYS affects subfolders unless you override it with another .htaccess which would change the behaviour set in parent folder's .htaccess
I'm using URL rewriting on my website and i would like to add an authentication via .htpasswd file to one of my directory.
My website is build like that
/home/website/
/home/website/protected/
/home/website/protected/.htaccess
/home/website/protected/.htpasswd
/home/website/protected/admin.php
/home/website/.htaccess
/home/website/index.php
/home/website/index_protected.php
On /home/website/ directory i got a .htaccess file :
RewriteRule ^directory([0-9]+)/protected/([a-z0-9-_]+).php /home/website/protected/admin.php?d=$1&p=$2 [QSA]
Using url like
http//website/directory1/protected/test.php
you will call
/home/website/1/protected/admin.php?d=1&p=test
On .htaccess from /protected/ directory i got :
AuthName "Page d'administration protégée"
AuthType Basic
AuthUserFile "/home/website/protected/.htpasswd"
Require valid-user
And on .htpasswd from /protected/ directory i got :
admin:crypted_password
But my problem is that, when i call
http//website/directory1/protected/test.php
i never got the authentication windows, any idea to fix this?
You can try to place .htaccess file with Basic Auth directives to protected directory.
This mostly happens when the server is not using .htaccess file. Check that it is allowed to use that file in /home/website/protected/ not only /home/website/.
I need to password protect a directory with .htaccess, which I have successfully done. But the front end of the website was programmed to link to images within this password protected directory (not by me), but when a webpage tries to access those images it prompts the user to login.
Is it possible to password protect that directory, but allow any access to any image file type like *.jpg and *.gif?
My current .htaccess code is this:
AuthName "Secure Area"
AuthUserFile "/home/siteuser/.htpasswds/public_html/admin/passwd"
AuthType Basic
require valid-user
Thanks for any help!
AuthName "Secure Area"
AuthUserFile "/home/siteuser/.htpasswds/public_html/admin/passwd"
AuthType Basic
require valid-user
<FilesMatch "\.(png|jpe?g|gif)$">
Satisfy Any
Allow from all
</FilesMatch>
Edit to incorporate Shef's improvement
You could check all the different options of configuration .htaccess gives you in the following site:
Stupid htaccess Tricks
Did you try put it inside Filematch?
<FilesMatch "^.*(png|jpe?g|gif)$">
AuthName "Secure Area"
AuthUserFile "/home/siteuser/.htpasswds/public_html/admin/passwd"
AuthType Basic
require valid-user
</FilesMatch>
What you could try is to write an image display proxy:
Keep the directory like you have it now, with password protection.
On the .htaccess on the root of the website where the images are linked, add a Rewrite rule for those image types you want. This rule should redirect the call to a PHP handler script.
That script should evaluate the path that was being requested, load the file from the filesystem, deduct its header and send that to the client using header(), followed by the image file's content echo file_get_contents()should do.
PHP is not affected by the .htaccess so it should be able to read the file you need and proxy it to the end user.
how i can protect folder which includes uploaded files?
i have folder include all files which uploaded by me, i want if user try to change url or pass to show all files, browser redirect him to another page like this example
www.tet.php/folder/text.doc
if user try to write (www.tet.php/folder) to show all files redirect him automatically to www.tet.php
or any one please tell me tricky way to disappear /folder/
I don't know php but one solution I am thinking about and don't know if php can handle or not:
You can put your “UsersUploads” folder outside the website directory, so if your website exist on “c:\website\example.com” you can put the “UsersUploads” there “c:\UsersUploads”, Like that Your web server has no control over this folder and its files, And your website code will still have access to this directory as a normal physical path.
If you use Apache, you have 2 solutions:
Move your uploaded_files folder out
of your DocumentRoot (the root of the
folders that are accessible from the
web).
Use an .htaccess file in that folder
to block access to this folder.
A little example of an .htaccess using an authentication to access to the folder:
AuthName "Page d'administration protégée"
AuthType Basic
AuthUserFile "/var/www/uploadedfiles/.htpasswd"
Require valid-user
If you use IIS then you have just to deny access to that folder for everyone through your IIS Administration console. You also can deny any access except for certain IP adresses or adressranges.
Just to expand on #Clement's answer to include the part about redirecting to a page on failure:
AuthName "Page d'administration protégée"
AuthType Basic
AuthUserFile "/var/www/uploadedfiles/.htpasswd"
Require valid-user
ErrorDocument 403 www.urlToRedirectTo.com
Also, .htpasswd should be placed outside of the web root, and should simply contain username:pasword. The password should be hashed. You can easily find utilities online to create these files for you.