I have the directory structure
folder
↳file1(public access)
↳file2(require password)
When I put the following in the .htaccess:
AuthType Basic
AuthName "asdf"
AuthUserFile path/to/.htpasswd
<Files file2>
require user asdf
</Files>
A non-logged in view shows this structure:
folder
↳file1(public access)
How do I provide the non logged in user visibility to file2 so that they know that the file is in fact there, but may have to log in?
In this simple case, I believe you can employ IndexOptions ShowForbidden.
If you get more complicated (like an auth covered directory or you want to show some forbidden but hide the rest), you'll have to resort to other methods (eg, generate your own index then show it, like in #Fred-ii- answer).
In addition to an already given answer (a good option), you can place this in your .htaccess file
ErrorDocument 401 error401.htm
and create a page called error401.htm with anything you want inside it.
That, being in the root of your server.
Use something like:
ErrorDocument 401 /folder/error401.htm
if placed in a different folder.
It could also be 403 depending how you set it up.
The complete list of ErrorDocument(s) are:
400 - Bad request
401 - Authorization Required
403 - Forbidden directory
404 - Page not found
500 - Internal Server Error
Of course, you can use .php as the preferred file extension and I'm leaning more towards using a 403 which is for Forbidden directory
Footnotes:
In some cases, you may need to use a full http:// call:
ErrorDocument 401 http://www.example.com/error401.htm
Related
Designed to bring up a specific error .php page when someone doesnt enter right credentials, but seems to bring up its own. Also protects all my directories regardless of which one it is placed in.
Has 777 permission.
ErrorDocument 401 Mywebsite.com/CustomError.php
AuthName "My Password Protected Site" AuthUserFile
MYwebsite.com/Folder/.htpasswd
AuthType Basic
Require valid-user
# Set REMOTE_USER env variable on 401 ErrorDocument
RewriteEngine On
RewriteBase /
RewriteCond %{ENV:REDIRECT_STATUS} ^401$
RewriteRule .* - [E=REMOTE_USER:%{ENV:REDIRECT_REMOTE_USER}]
Here's what it always says as of now:
Authorization Required
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.
I used to have the spefic directories as /folder/file instead of website/folder/file but when i did that, the error page would have this line as well:
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
This line:
ErrorDocument 401 Mywebsite.com/CustomError.php
According to the documentation
URLs can begin with a slash (/) for local web-paths (relative to the DocumentRoot), or be a full URL which the client can resolve. Alternatively, a message can be provided to be displayed by the browser. Examples:
ErrorDocument 500 http://foo.example.com/cgi-bin/tester
ErrorDocument 404 /cgi-bin/bad_urls.pl
ErrorDocument 401 /subscription_info.html
ErrorDocument 403 "Sorry can't allow you access today"
Additionally, the special value default can be used to specify Apache's simple hardcoded message. While not required under normal circumstances, default will restore Apache's simple hardcoded message for configurations that would otherwise inherit an existing ErrorDocument.
ErrorDocument 404 /cgi-bin/bad_urls.pl
<Directory /web/docs>
ErrorDocument 404 default
</Directory>
So you can't have Mywebsite.com/CustomError.php as the second parameter, it's got to be a full URL starting with http://, an absolute path that starts with a /, or a message. You can't have relative paths as the second parameter.
How can I make my website to redirect to a particular page when user attempts to folder or files that are not allowed or when they access not existing web page?
I think it is done using some kind of server side scripts, please help me to find it.
If you want to prevent users from certain content use 403 Forbidden header. Not 404. You might want to use 404 to fool the user, but later when something goes wrong it'll be very difficult do debug. Also this is not standard practice.
You can throw a 403 Forbidden error using htaccess.
RewriteEngine On
RewriteBase /
# Protect application and system files from being viewed
RewriteRule ^(secret_dir1|secret_dir2|secret/file.php) - [F, L]
On PHP end you should invoke a header if some one is trying to get an unauthorized access.
header("HTTP/1.1 403 Forbidden");
that should be done in .htaccess file, add this:
ErrorDocument 404 index.php // it could be any file/page
Check this link out: http://www.awesomephp.nl/htaccess/custom-error-pages
How do I do this in my .htaccess file for a specific directory in my document root?:
deny all access to anything (including the .htaccess too)
return a 404, not a 403 error
no files or subdirectories should be accessible or detected by humans or bots
only php access by the local host would be allowed
Seems like it would be simple. This works but throws a 403 not a 404:
deny from all
Why not create a custom error page?
deny from all
ErrorDocument 403 /error/404.html
The server will always want to throw a 403 error if someone is not authorized to view the page and that's what you're trying to do. However, you can change the ErrorDocument for error 403 to show an HTML page that says it's a 404 error.
My example has a folder in the root directory named error and an html file in it named 404.html.
Have you tried something like this? This will force a 403 Forbidden error when someone tries to view anything in DIRECTORY. PHP scripts can still access everything inside the directory. Obviously replace DIRECTORY with your preferred directory.
RewriteRule ^DIRECTORY - [F]
I do not like sending some html page that says it's a 404 error when really it is just an html page that may as well be located at Iamafake404error.html
You might try this instead:
Order Deny,Allow
Deny from all
Allow from 1.2.3.4
ErrorDocument 403 /throwaREAL404error.html
ErrorDocument 404 /throwaREAL404error.html
ErrorDocument 500 /throwaREAL404error.html
### never deliver .git folders, .gitIgnore
RewriteRule ^(.*/)?\throwaREAL404error.html+ - [R=404,L]
# 2nd line of defense (if no mod_rewrite)
RedirectMatch 404 ^(.*/)?\throwaREAL404error+
https://serverfault.com/a/510951/194845
Here is the scenario:
There is a index.php file in root folder
some files are included in index.php which are in the includes folder.
1 other file (submit.php) is in the root folder for form submit action.
I want to restrict direct user access to the files in includes folder by htaccess. also for submit.php. But include will work for index.php file.
Like, if user types www.domain.com/includes/somepage.php, it will restrict it (may be redirect to a error page).
I would just move the includes folder out of the web-root, but if you want to block direct access to the whole includes folder, you can put a .htaccess file in that folder that contains just:
deny from all
That way you cannot open any file from that folder, but you can include them in php without any problems.
This is pure mod_rewrite based solution:
RewriteRule ^(includes/|submit\.php) - [F,L,NC]
This will show forbidden error to use if URI contains either /includes/ or /submit.php
It's possible to use a Files directive and disallow access to all files, then use it again to set the files that are accessible:
<Files ~ "^.*">
Deny from all
</Files>
<Files ~ "^index\.php|css|js|.*\.png|.*\.jpg|.*\.gif">
Allow from all
</Files>
1 liner mod_alias based solution :
RedirectMatch 403 ^/folder/file.php$
This will show forbidden error for /folder/file.php
If I understand correctly you just want to deny access to the includes folder?
An .htaccess with a 'DENY FROM ALL' directive placed in the includes folder would do the trick.
Your Q comes in two parts, both jeroen and anubhava's solutions work for part I -- denying access to /includes. anubhava's also works for part II. I prefer the latter because I use a DOCROOT/.htaccess anyway and this keeps all such control in one file.
However what I wanted t discuss is the concept of "denying access to submit.php". If you don't want to use submit.php then why have it in DOCROOT at all? I suspect that the answer here is that you use it as a action target in some forms and only want it to be fired when the form is submitted and not directly , e.g. from a spambot.
If this is true then you can't use anubhava's part II as this will cause your form to fail.
What you can do here is (i) with the .htaccess check to ensure that the referrer was your own index page:
RewriteCond %{HTTP_REFERRER} !=HTTP://www.domain.com/index.php [NC]
RewriteRule ^submit\.php$ - [F]
And (ii) within your PHP index.php form generator include some hidden fields for a timestamp and validation. The validation could be, say, the first 10 chars of an MD5 of the timestamp and some internal secret. On processing the submit you can then (i) validate that the timestamp and validation match, and (ii) the timestamp is within, say, 15 minutes of the current time.
This you can prevent spamming as the only practical way that a spammer could get a valid timestamp / validation pair would be to parse a form, but this scrape would only have a 15 minute life.
Depending on possible other options set at a higher level you may need to put the following in your .htaccess file in your includes directory:
Satisfy all
Order deny,allow
Deny from all
I ran into this when the upper directory defined basic authentication including the line:
Satisfy any
This was preventing my deny from all to take effect because the users were authenticated.
You can add the below command to .htaccess file
Deny from all
ErrorDocument 403 "nothing is here"
It will display the "nothing is here" message in case of the unauthorised access.
If you want to redirect by an error code to a certain page then you can define a command as follows:
ErrorDocument 404 "/errors/404.html"
It will redirect to the /errors/404.html and show the custom page not found screen.
What is the best way to send all traffic to your site a 404 page? I'm currently working on the site and would like it to just 404 for all requests. I've tried playing around with htaccess files but haven't been too successful in getting one working like this. Additionally, I would like traffic to a particular folder to still get through.
As your question is stated the easiest way would be to move all your content into that folder.
However, reading between the lines it sounds like you want to view the site in the root folder, and block anyone else from doing the same. It seems to me what you want to do is look at the Apache manual's section on Authentication and Authorization
http://httpd.apache.org/docs/2.0/howto/auth.html
Something like the following in a Location or Directory section of your Apache config, or in a .htaccess file should work. You can put the page you want to show your users in a special location
#The page you want to show denied users.
ErrorDocument 403 /path/to/403.html
#The page you want to show when pages aren't found (404)
ErrorDocument 404 /path/to/404.html
#For Password Protection
#Use the htpasswd utility to generate .htpasswd
AuthType Basic
AuthName "My Secret Stuff"
AuthUserFile /path/to/my/passwords/.htpasswd
Require valid-user
#For IP protection
Order allow,deny
Allow from 1.2.3.4 #Your IP Here
#If you want to use a combination of password and IP protection
#This directive works if they have a valid IP OR a valid user/pass
Satisfy any