how i can protect folder which includes uploaded files?
i have folder include all files which uploaded by me, i want if user try to change url or pass to show all files, browser redirect him to another page like this example
www.tet.php/folder/text.doc
if user try to write (www.tet.php/folder) to show all files redirect him automatically to www.tet.php
or any one please tell me tricky way to disappear /folder/
I don't know php but one solution I am thinking about and don't know if php can handle or not:
You can put your “UsersUploads” folder outside the website directory, so if your website exist on “c:\website\example.com” you can put the “UsersUploads” there “c:\UsersUploads”, Like that Your web server has no control over this folder and its files, And your website code will still have access to this directory as a normal physical path.
If you use Apache, you have 2 solutions:
Move your uploaded_files folder out
of your DocumentRoot (the root of the
folders that are accessible from the
web).
Use an .htaccess file in that folder
to block access to this folder.
A little example of an .htaccess using an authentication to access to the folder:
AuthName "Page d'administration protégée"
AuthType Basic
AuthUserFile "/var/www/uploadedfiles/.htpasswd"
Require valid-user
If you use IIS then you have just to deny access to that folder for everyone through your IIS Administration console. You also can deny any access except for certain IP adresses or adressranges.
Just to expand on #Clement's answer to include the part about redirecting to a page on failure:
AuthName "Page d'administration protégée"
AuthType Basic
AuthUserFile "/var/www/uploadedfiles/.htpasswd"
Require valid-user
ErrorDocument 403 www.urlToRedirectTo.com
Also, .htpasswd should be placed outside of the web root, and should simply contain username:pasword. The password should be hashed. You can easily find utilities online to create these files for you.
Related
I have an Apache2 site set up on a RPI3 with basic authentication. It worked great since I am really the only user. I am now using IFTTT to automate a few items via webhooks to use a GET request to a couple .php files I have in the www/html folder. This works just fine, but where I have the issue is having to set the webhook with my username: password since I have an authenticated site. I have been using a dynamic dns server for this access my site via username:password#mysite:80/file.php. Is there a way to create a separate folder with a username and password that can only access that folder and not the entire www/html directory? I don't like the fact that my main login is sent by IFTTT. If possible I would like it to be NEWUSER:PASSWORD#mysite:80/limited/file.php.
I have tried creating a this folder and adding its access to the apache2.conf, 000sites-enabled. I have also tried adding its own .htaccess and .htpasswd file in the "limited" folder with a different user.
Is this possible to do?
Thanks
I ended up getting it to work by removing the entries for the sub directory "limited" folder from the Apache2.config and 000sites-enabled. I also just kept the 2 files for .htpasswd and .htaccess in the "limited" folder.
.htpasswd :
User:$sjjnuinusencryptedpasswordijkmi22993
.htaccess :
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /var/www/html/limited/.htpasswd
Hope this helps someone.
I want to set permission to access my beta site, but I got "Page not found" error, below is my code, how can I fix this error?
AuthUserFile /home3/mysitename/public_html/beta/.htpasswd
AuthName EnterPassword
AuthType Basic
<Limit GET POST>
require valid-user
Most rules that are in htaccess files have precedence in subfolders first. Meaning a htaccess file in your /beta/ folder will completely supercedes any rules in a parent directories.
So if you need to protect only the subfolder and not the main folder place the htaccess (or the part with the password section) in the folder you wish to protect.
By the way a better idea might be to use a subdomain for that construct.
I am trying to password protect my PrestaShop site and I created the .htaccess and .htpasswd files when I upload them to the root directory and the /dev folder respectively everything seems to work, until I enter the username and password, at which point the page reloads and displays the website with NO CSS or images. Please someone HELP!
I am unable to keep the files up as it is conflicting with the client QA-ing, but I need to protect the site quickly to hide it from some disgruntled workers.
I greatly appreciate all replies!!! Please just ask if more info is required
You should only need to upload .htaccess and .htpasswd to the root dir. I'm not sure why you're adding it to your /dev directory as well.
Your .htaccess should look something like this:
AuthUserFile /webhost/path/root/.htpasswd
AuthType Basic
AuthName "My Files"
Require valid-user
More info: http://weavervsworld.com/docs/other/passprotect.html
I have a need to password protect an entire website. I am developing on a live URL (don't ask me why -_- clients...) and I want to be able to develop the site but access it using a username and password so the general public won't be able to see the site being modified.
I've tried to use a .htaccess and .htpasswd file in the same directory.
Here are the contents of it
AuthUserFile /htdocs/.htpasswd
AuthGroupFile /dev/null
AuthName "Development space"
AuthType Basic
Require development
and the .htpasswd file contains the user development:encryptedpassword
It doesn't appear to be working at all. The password box is generated but just carries on coming back up once I enter the credentials (I have confirmed they are correct).
Can anyone tell me where I'm going wrong?
Please note both the htpasswrd and htaccess files are currently within the htdocs directory
htdocs file permissions are drwxr-xr-x
Your Require line is wrong. It should be:
Require user development
^^^^--missing
Require can require many different things (env vars, http methods, groups, blah blah blah), so you have to say WHAT kind of thing you're requiring. You might be better off with just
Require valid-user
unless you're going to have multiple accounts in your .htpasswd and want to allow only certain ones.
Here's my .htaccess file:
AuthType Basic
AuthName "LOG IN"
AuthUserFile .htpasswd
Require valid-user
After logging in, I get a 500 error. If I clear the .htaccess file, it works fine.
Any ideas?
I think you have to write the full path to your .htpasswd (on linux: /path/to/.htpasswd)
From http://weavervsworld.com/docs/other/passprotect.html
Troubleshooting
Make sure that the path specified in AuthUserFile is the correct full
path. This is a major cause of problems. If Apache cannot find the
.htpasswd file, then all attempts will fail.
Make sure the permissions
on the .htaccess and .htpasswd files are set so that Apache can read
them. chmod 0644 .htaccess chmod 0644 .htpasswd
Other issues may be
out of your control. Web administrators can lock down Apache so that
it ignores all .htaccess files it encounters. This can be achieved
with an AllowOverride None directive and option on the
ServerRoot/DocumentRoot directories. If this is the case (.htaccess
not allowed) you will have to kindly ask your web administrator to
allow .htaccess files with authorization directives in your personal
web directory. This can be achieved with AllowOverride AuthConfig
directive and option.
Important : Full path to .htpasswd refers to the real full path if you are using terminal than use
maddy#maddy:/var/www/html/project_name$ pwd
/var/www/html/project_name
File In /var/www/html/project_name/.htaccess
AuthType Basic
AuthName "My restricted Area"
AuthUserFile /var/www/html/project_name/.htpasswd
Require valid-user
File In /var/www/html/project_name/.htpasswd
someuser:$apr1$oi0zg2sf$jTagKK2S7StjC0WSVJLUH0
To generate user: password combination refer
1) http://www.htaccesstools.com/htpasswd-generator/
2) https://www.web2generators.com/apache-tools/htpasswd-generator
Not tested
https://www.gaslampmedia.com/generate-htaccess-password-htpasswd-from-the-command-line/
Since this question scores high in Google, I thought I'd append steven's answer a bit:
Full path to .htpasswd here refers to the real full path, not the path you see via ftp. For example, when I login to my shared hosting account with ftp, it seems my web root lives in /public_html
However that's just because how the ftp server is set up. The actual path to my web root is /home/username/public_html and setting the AuthUserFile keeping that in mind resolved the issue, at least for me.
I found the missing piece of information on the Webmasters site after some more googling.
If you use php and get Error - 500
A good shot is:
create a php file 'info.php' with content:
<?php
phpinfo();
Enter in this url in your browser
In Apache Environment
Look for DOCUMENT_ROOT
Get this content Ex: 'C:/wamp/www/'
And update your .htaccess:
AuthUserFile 'C:/wamp/www/.htpasswd'
Note: The question contains "After logging in" and the answers are not for that case.
I've ran into the same issue:
set up the authentication just as in the question
open the site in a browser
the login window pops up, I authenticate successfully
all subsequent requests result in 500
the access log shows the response was 500 but nothing in the error log
In this case the parent directory of the htpasswd file was not readable to the user running Apache. Apparently the first authentication is served using root credentials and subsequent ones (checking if the auth is still correct?) done by the user running Apache.