I working on a webpage and want to protect most of the page with a loginpage before entering the pages. I was thinking about directory access protection.
I have setup two test directory with the following settings in apache:
<Location /test>
# Using this to bind
AuthLDAPBindDN "##########"
AuthLDAPBindPassword "##########"
# search user
AuthLDAPURL "##########?sAMAccountName?sub? (objectClass=*)"
AuthType basic
AuthName "USE YOUR WINDOWS ACCOUNT"
AuthBasicProvider ldap
# Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)"
AuthUserFile /dev/null
Require ldap-group ###########
#Require valid-user
</Location>
<Location /test2>
# Using this to bind
AuthLDAPBindDN "##########"
AuthLDAPBindPassword "###########"
# search user
AuthLDAPURL "ldap://##########?sAMAccountName?sub?(objectClass=*)"
AuthType form
AuthName "USE YOUR WINDOWS ACCOUNT"
AuthFormProvider ldap
AuthFormLoginRequiredLocation "../test_ldap.php"
# Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)"
AuthUserFile /dev/null
Require ###################
#Require valid-user
</Location>
One has LDAP authentication, that one is working fine but gives an ugly Windows popup. I want to replace that to a form based page so I can customize the look and feel.
The other one is using formbased authentication. The redirect to the login form page is working fine but then im stuck. I have created a php page that validates to LDAP that is also working fine so that is my landing page but then still when I access my protected directory its not authenticated.
So I need a combination of both to get this working.
I have seen that the AuthFormProvider can be set to Ldap, and have done that but I don't get that to work.
I would be very gratefull if somebody could guide me in this project to the right direction.
Related
I added a HTTP basic authentication using Apache to access to a PHP application using a .htaccess file:
AuthType Basic
AuthName "Secure Area"
AuthUserFile /path/to/.htpasswd
AuthGroupFile /dev/null
Require valid-user
This is working fine for most of the application except for the admin panel.
Because in order to access to the admin panel, the PHP application also provide his own HTTP basic authentication by sending the WWW-Authenticate HTTP header to the response.
So, when I try to access to the PHP application secured area, it looks like I am encountering a HTTP Basic authentication conflict between Apache an PHP.
(Both are working properly individually)
The solution I am thinking is to enable Apache HTTP Basic authentication only if the requested page did not already send a WWW-Authenticate.
I tried this without success:
AuthType Basic
AuthName "Secure Area"
AuthUserFile /path/to/.htpasswd
AuthGroupFile /dev/null
<RequireAll>
Require valid-user
Require expr %{HTTP:WWW-Authenticate} =~ m#^$#
</RequireAll>
This is resulting in a infinite loop of requests trying to authenticate.
Is it something possible?
I don't think that this will work. When adding Apache's authentication methods, the request is stopped unless you authenticate. Your PHP application is not run in any way if Apache hasn't received authentication details for its own layer.
I'm setting up basic http authentication for my dev site with .htaccess and .htpasswd.
First, I created my .htpasswd user and password (https://shop.alterlinks.com/htpasswd/htpasswd.php MD5).
Then, my htaccess file with some basic configurations.
I placed both my .htaccess and .htpasswd files in my php_site_project folder (I know it's not safe, but I did it for testing first the authentication).
Also in my apache configuration file, I have AllowOverride All
AuthuserFile /home/my_user/public_html/php_site_project/.htpasswd
AuthName "Protected Area"
AuthType Basic
AuthGroupFile /dev/null
Require user admin
After all those configurations, I cleared my cache and tested on Chrome, it keeps asking me for user and password over and over... On Firefox asks just once but doesn't let me enter either.
By the way, I don't have logs on this problem.
I protected an entire Wordpress site with an .htaccess in the /var/www/html direction containing the following regular authentication:
AuthName "Restricted Admin-Area"
AuthType Basic
AuthUserFile /var/www/html/.htpasswd
Require valid-user
However, now my boss asks me to unprotect just one page of the Wordpress site (specifically /subscription):
When we access www.site.com/subscription : no authentication is asked
When we access the rest of www.site.com : an authentication is asked
So I added the following as an exclusion:
SetEnvIf Request_URI "(subscription/)$" allow
SetEnvIf Request_URI "(subscription)$" allow
Order allow,deny
Allow from env=allow
Satisfy any
The problem though, is that for this exclusion to work, the subscription/ directory must exist "physically" on the server.
But it is a Wordpress page, generated automatically following index.php contained in the Wordpress database.
Therefore, the exclusion does not work and I'm asked an authentication when accessing this page.
I've looked for hours and tried to modify tons of things (even creating a subscription2/ directory pointing to subscription), but nothing worked.
Please can you help?
Thank you!
I have the following in the htaccess file in my /wp-admin folder:
AuthType Basic
AuthName "Example"
AuthUserFile "/home/username/.htpasswds/public_html/example.com/wp-admin/passwd"
require valid-user
For some reason when I load up a wordpress article it prompts for authentication.
The main page is fine, but individual articles prompt for a password.
I found a solution to my problem.
The reason why it was prompting for a password is because some WordPress plugins require access to admin-ajax.php.
If you add the following on top of the quote above it will allow you to password protect the wp-admin folder.
# Allow plugin access to admin-ajax.php around password protection
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>
So rather than excluding one file from the entire authentication like I tried to here. I've just decided to add specific files to the authentication like this:
<Files ...>
</Files>
The thing is when it's like this:
<Files Available.php>
AuthType Basic
AuthName "Login"
AuthUserFile /disks/*/*/Folder/.htpasswd
Require valid-user
</Files>
It works in that it requires an authentication for the php. However when I put multiple files like this:
<Files Available.php,Insert.php,upload_file.php>
AuthType Basic
AuthName "Login"
AuthUserFile /disks/*/*/Folder/.htpasswd
Require valid-user
</Files>
It fails to require authentication for any of the files. Any ideas what I'm writing wrong syntactically? Also how do I require authentication for all sub-directories?
You can't put multiple file names in a directive. see for directive examples.
http://www.askapache.com/htaccess/using-filesmatch-and-files-in-htaccess.html
If you can't match the files with a wildcard, your best bet is to place them all in a subdirectory and use your authenication against that.
Your other option is to use php authenication with sessions (cookie or url based) and have the php files that require authentication check for a valid session before running.
I've written a fair number php based sites with authenicated admin and I always use a subdirectory and then ssl to make it more secure.