I am trying to restrict access to directories in my root so that others cannot access the files in those dir directly in a browser. Problem I am running into is now the pages in the root for example the index.php is asking for a password and the .htaccess is in the root of the directories and not the root of the domain. This is preventing the index file from accessing include files from those directories.
What is a simple way to lock down those directories from browser access while still allowing the files in the root to access them and vistors being able to access the root pages without being asked for a password. I would like to to be as far as they know they site is viewable but, if someone starts prying around in the sub directories to steal code it will deny them but, allow the pages to access them.
I have tired this in each of the directories I have been wanting to restrict direct browser access to.
AuthType Basic
AuthName "Administrator"
AuthUserFile /home2/mesquiu0/.htpasswds./htpasswd
Require valid-user
Order Deny,Allow
Deny From All
Allow From 127.0.0.1
All you need to do is add the following line with an extra empty line to disable indexing the directories:
Options -Indexes
See Documentation for more info: http://httpd.apache.org/docs/current/mod/core.html#options
In your .htaccess file put the following line
Deny from all
And this if you like to put exceptions.
allow from all
Just allow the scripts that match php, aspx, etc.
apache 2.2
AuthType Basic
AuthName "Administrator"
AuthUserFile /home2/mesquiu0/.htpasswds./htpasswd
Require valid-user
#Forbid access to any files except from localhost, because of Order Deny,Allow, Allow gets applied later.
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
#Allow access to files matching index.php
<Files index.php>
Order Allow,Deny
Allow from all
</Files>
In Apache 2.4 the rules has changed, and the correct syntax is to use Require all denied instead of Deny from all.
This is for apache 2.4
AuthType Basic
AuthName "Administrator"
AuthUserFile /home2/mesquiu0/.htpasswds./htpasswd
Require valid-user
Require host 127.0.0.1
#Allow access to files matching index.php
<Files index.php>
Require all granted
</Files>
Related
I would like to use a .htaccess and a .htpasswd file to protect access to a website.
The following code successfully brings up the auth dialog when visiting mysite.com. But when visiting mysite.com/index.html the auth dialog does not appear and the website can be accessed without protection.
.htaccess
AuthUserFile /path/to/.htpasswd
AuthType Basic
AuthName "Password Protected"
Require valid-user
What do I need to change to ensure that mysite.com/index.html is protected as well?
I have tried adding:
Order Deny,Allow
Deny from all
Satisfy any
Require valid-user
and also:
<Files "index.html">
Require valid-user
</Files>
Neither make any difference to the problem.
maybe you could try it with
AllowOverride AuthConfig
If I remember it right it is not activated on the default :)
you can get more information in the official apache doc
https://httpd.apache.org/docs/2.4/howto/auth.html
My question is very similar to this one:
getting "authentication required" when requesting / instead of /index.php
However, in the question above, the goal is to allow access to only the root URL or index.php and to password protect access to all other files and subdirectories.
An excellent answer was given:
SetEnvIf Request_URI "^/$" allow=yes
SetEnvIf Request_URI "^/index.php$" allow=yes
AuthType Basic
AuthName "Password Required"
AuthUserFile /var/www/webinterface/.htpasswd
Options +FollowSymLinks
Order Deny,Allow
Satisfy any
Deny from All
Require valid-user
Allow from env=allow
My question is the reverse: I only want to password protect the root URL of the directory or the index.php file, and to allow free access to all other files in the directory. When I used <FilesMatch "index.php"> I succeeded in protecting the index file, but the root url allowed access.
I'm sure the answer is basically obvious to those of you who are more familiar with htaccess than I am. How do I password protect only index.php and the root url? Thank you.
Use it like this:
SetEnvIfNoCase Request_URI "^/(index\.php)?$" PROTECT
AuthType Basic
AuthName "Password Required"
AuthUserFile /var/www/webinterface/.htpasswd
Require valid-user
Satisfy any
Order Allow,Deny
Allow from All
Deny from env=PROTECT
Regex pattern ^/(index\.php)?$ will match / or /index.php and it sets env variable PROTECT
Allow from All allows all the URIs
Deny from env=PROTECT denies env variable PROTECT
Not sure if this is what you really want, but what about the options -Indexes, used like this?
<Directory /www/somefolder>
Options -Indexes FollowSymLinks
AllowOverride None
</Directory>
I have a website made with WordPress and I want to make two different htaccess logins for two template files. Is this possible?
I have this next code for one of the templates but I want to do the same thing for the second template, only with different username and password.
The templates are located in the same directory and the .htaccess, .htpasswd files are in the root of the website.
I tried user username instead of valid-user, made a different directory in public_html for another .htpasswd file with the password and username for the second file. Nothing worked as it should.
The code:
SetEnvIf Request_URI /colaborators/$ require_auth=true
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /home/my_whole_path/public_html/.htpasswd
Require valid-user
Order Deny,Allow
Deny from all
Satisfy any
Require valid-user
# or 2. the "require_auth" var is NOT set
Allow from env=!require_auth
I will answer my own question, maybe this will help someone:
In my case, I had the .htaccess and .htpasswd files outside WordPress, in the root directory. What I had to do to make my second page .htaccess protected with different user and password than the first one:
I made a new directory in the root folder, inside it I created another .htaccess file and a new .htpasswd, plus my page (called it index.php).
SetEnvIf Request_URI /test/$ require_auth=true
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /home/my_whole_path/public_html/new_directory/.htpasswd
Require valid-user
Order Deny,Allow
Deny from all
Satisfy any
Require valid-user
# or 2. the "require_auth" var is NOT set
Allow from env=!require_auth
In index.php I loaded WordPress with a require_once 'wp-load.php', the header.php and the rest of the page code.
And that's all.
Hope will help.
I want to protect an admin folder in my PHP web site from other people.
I created two files .htaccess and .htpasswd, but when I enter to the index page on this folder it doesn't show me that dialog where I have to enter the username and the password, here are the content of the files :
The .htpasswd file :
mateo21:$1$MEqT//cb$hAVid.qmmSGFW/wDlIfQ81
ptipilou:$1$/lgP8dYa$sQNXcCP47KhP1sneRIZoO0
djfox:$1$lT7nqnsg$cVtoPfe0IgrjES7Ushmoy.
vincent:$1$h4oVHp3O$X7Ejpn.uuOhJRkT3qnw3i0
The .htaccess file :
AuthName "Page d'administration protégée"
AuthType Basic
AuthUserFile "/var/www/sec/.htpasswd"
Require valid-user
I'm running Linux ubuntu and apache.
You need to deny everything first. Try:
Order Deny,Allow
Deny from all
AuthName "Page d'administration protégée"
AuthType Basic
AuthUserFile "/var/www/sec/.htpasswd"
Require valid-user
If what #Jon Lin said doesn't work, then make sure you have
AllowOverride AuthConfig
in your /etc/httpd/httpd.conf file
If you can't find your configuration file, then try searching for it in terminal...
locate "httpd.conf"
Or
find /etc/ -name "httpd.conf"
1) My wp-content is hardened with a .htaccess file containing this code:
<Files *.php>
deny from all
</Files>
2) I want (need) to authorize xml-sitemap-xsl.php Otherwise I get this error in my error log: client denied by server configuration: /home/user/mysite.net/wp-content/plugins/wordpress-seo/css/xml-sitemap-xsl.php, referer: http://mysite.net/sitemap_index.xml
3) I think I should add the following code but I’m not sure if it’s the right code nor where to place it:
<Files "xml-sitemap-xsl.php">
Allow from all
</Files>
The thing I want to avoid is a conflict between the deny and allow commands.
Thanks,
P.
This has not much to do with Wordpress and I am not an expert regarding .htaccess, but I believe that what your file is doing is not denying access to your directory by all .php files, rather, denying access to all the .php files inside the directory.
The <Files> directive is used to add specific rules to specific files and, as far as I know, it cascades.
Considering your comment, this should do the trick
<Files *.php>
deny from all
</Files>
<Files "xml-sitemap-xsl.php">
Order Allow,Deny
Allow from all
</Files>
see: Deny direct access to all .php files except index.php