I'm using URL rewriting on my website and i would like to add an authentication via .htpasswd file to one of my directory.
My website is build like that
/home/website/
/home/website/protected/
/home/website/protected/.htaccess
/home/website/protected/.htpasswd
/home/website/protected/admin.php
/home/website/.htaccess
/home/website/index.php
/home/website/index_protected.php
On /home/website/ directory i got a .htaccess file :
RewriteRule ^directory([0-9]+)/protected/([a-z0-9-_]+).php /home/website/protected/admin.php?d=$1&p=$2 [QSA]
Using url like
http//website/directory1/protected/test.php
you will call
/home/website/1/protected/admin.php?d=1&p=test
On .htaccess from /protected/ directory i got :
AuthName "Page d'administration protégée"
AuthType Basic
AuthUserFile "/home/website/protected/.htpasswd"
Require valid-user
And on .htpasswd from /protected/ directory i got :
admin:crypted_password
But my problem is that, when i call
http//website/directory1/protected/test.php
i never got the authentication windows, any idea to fix this?
You can try to place .htaccess file with Basic Auth directives to protected directory.
This mostly happens when the server is not using .htaccess file. Check that it is allowed to use that file in /home/website/protected/ not only /home/website/.
Related
I want to set permission to access my beta site, but I got "Page not found" error, below is my code, how can I fix this error?
AuthUserFile /home3/mysitename/public_html/beta/.htpasswd
AuthName EnterPassword
AuthType Basic
<Limit GET POST>
require valid-user
Most rules that are in htaccess files have precedence in subfolders first. Meaning a htaccess file in your /beta/ folder will completely supercedes any rules in a parent directories.
So if you need to protect only the subfolder and not the main folder place the htaccess (or the part with the password section) in the folder you wish to protect.
By the way a better idea might be to use a subdomain for that construct.
I have my .htaccess under the www folder on the server , this file contain some redirect rule nothing else.
Under the www folder , i have another folder www/admin and i want to restrict access to it with .htpasswd file and i have balanced this code into www/admin/.htaccess file :
AuthName "Access denied"
AuthUserFile /real_path_server/www/admin/.htpasswd
AuthType Basic
Require valid-user
i tested everything work fine i can't access to /admin without login and password .
The problem so , that when i go to the website ,authentification window appear , everybody can see this window and this is'nt the behavior that i look for .
i look for that authentification must be required if i want to access to websiteUrl/admin not when i want to access to websiteUrl.
www
|---admin
| |
| |----.htaccess (2)
|
|
|
|.htaccess (1)
the code in .htaccess (1)
SetEnv PHP_VER 5_4
Options +FollowSymlinks
RewriteEngine on
ErrorDocument 404 /erreur404.php
RewriteRule *******************
RewriteRule *******************
RewriteRule *******************
And in the .htaccess2
AuthName "Access denied"
AuthUserFile /real_path_server/www/admin/.htpasswd
AuthType Basic
Require valid-user
Thanks for help
Apache .htaccess files "cascade". Which means all rules set by an .htaccess file in a parent directory will be applied to all sub-directories. You cannot remove a rule in a sub-directory by adding a .htaccess file without that rule, but you can overwrite it by adding that same rule with another value in a sub-directory's .htaccess file.
I'm certain there is another Apache configuration that you might not be able to see, or have access to. Are you using a shared web-hosting server? Is this your own local server? A VPS/Dedicated server where you have root access?
If you are on a shared server, I recommend calling their tech support as they would likely have intimate knowledge of their primary apache configurations.
Also just a quick tip. I noticed in your htaccess configurations above that you have your .htpasswd file in a publicly available directory. It is recommended that you put your .htpasswd files in a non public (non web-accessible) directory, and write the full path to the .htpasswd file in your .htaccess file.
Typically, this is not an issue and not necessary since most web-hosting service providers will add a rule in their "master" apache config file to not allow access (from the web) to any files that begin with .ht*. But not all of them do, so just be careful with that ;)
For example, using your current configuration, I might be able to type this directly in my address bar and see the contents of your .htpasswd file like this - http://your-site.com/admin/.htpasswd - if your web hosting service provider has not taken care of this contingency, it will literally spit out the contents of your .htpasswd file to my screen, where I can see the usernames available, and their obfuscated passwords. It's just a matter of security. Hope this helps!
By default htaccess are folder based. Double check if there is a .htaccess into tje root of the webserver
how i can protect folder which includes uploaded files?
i have folder include all files which uploaded by me, i want if user try to change url or pass to show all files, browser redirect him to another page like this example
www.tet.php/folder/text.doc
if user try to write (www.tet.php/folder) to show all files redirect him automatically to www.tet.php
or any one please tell me tricky way to disappear /folder/
I don't know php but one solution I am thinking about and don't know if php can handle or not:
You can put your “UsersUploads” folder outside the website directory, so if your website exist on “c:\website\example.com” you can put the “UsersUploads” there “c:\UsersUploads”, Like that Your web server has no control over this folder and its files, And your website code will still have access to this directory as a normal physical path.
If you use Apache, you have 2 solutions:
Move your uploaded_files folder out
of your DocumentRoot (the root of the
folders that are accessible from the
web).
Use an .htaccess file in that folder
to block access to this folder.
A little example of an .htaccess using an authentication to access to the folder:
AuthName "Page d'administration protégée"
AuthType Basic
AuthUserFile "/var/www/uploadedfiles/.htpasswd"
Require valid-user
If you use IIS then you have just to deny access to that folder for everyone through your IIS Administration console. You also can deny any access except for certain IP adresses or adressranges.
Just to expand on #Clement's answer to include the part about redirecting to a page on failure:
AuthName "Page d'administration protégée"
AuthType Basic
AuthUserFile "/var/www/uploadedfiles/.htpasswd"
Require valid-user
ErrorDocument 403 www.urlToRedirectTo.com
Also, .htpasswd should be placed outside of the web root, and should simply contain username:pasword. The password should be hashed. You can easily find utilities online to create these files for you.
I used .htaccess and .htpasswd to restrict the admin folder which is located at root/admin
for that i used the following
.htaccess file
AuthName "Alertalert"
AuthType Basic
AuthUserFile http://alertalert.freetzi.com/admin/.htpasswd
require valid-user
.htpasswd file
rajasekar:$apr1$0yd92n1r$McIxIiQXPRF1u3gRBNRNc1
the .htaccess and .htpasswd file is located inside the admin folder.
When i try to access admin folder, it asks for username and password and thats ok. if I give correct username and password, its not accepting and so prompting again.
Check the documentation for the AuthUserFile directive. Its argument should be the path to the htpasswd file, not a URL.
do you have any code in .htacess that prevents viewing of .htpasswd? Because you are going though HTTP, it may not be accessible. What about using the system path?
What about something like:
AuthUserFile /var/admin/.htpasswd
I created a password protected folder using .htpasswd. In .htacces how should i specify this .htpasswd file.
like this
AuthUserFile http://alertalert.freetzi.com/admin/.htpasswd
or
like this
AuthUserFile /admin/.htpasswd
or any other method. Plz help
You should reference the file using its filesystem path, not anything relative to the web server. So if your site is hosted in the folder /var/www/localhost/htdocs/, then you would write:
AuthUserFile /var/www/localhost/htdocs/admin/.htpasswd