What is the best way to send all traffic to your site a 404 page? I'm currently working on the site and would like it to just 404 for all requests. I've tried playing around with htaccess files but haven't been too successful in getting one working like this. Additionally, I would like traffic to a particular folder to still get through.
As your question is stated the easiest way would be to move all your content into that folder.
However, reading between the lines it sounds like you want to view the site in the root folder, and block anyone else from doing the same. It seems to me what you want to do is look at the Apache manual's section on Authentication and Authorization
http://httpd.apache.org/docs/2.0/howto/auth.html
Something like the following in a Location or Directory section of your Apache config, or in a .htaccess file should work. You can put the page you want to show your users in a special location
#The page you want to show denied users.
ErrorDocument 403 /path/to/403.html
#The page you want to show when pages aren't found (404)
ErrorDocument 404 /path/to/404.html
#For Password Protection
#Use the htpasswd utility to generate .htpasswd
AuthType Basic
AuthName "My Secret Stuff"
AuthUserFile /path/to/my/passwords/.htpasswd
Require valid-user
#For IP protection
Order allow,deny
Allow from 1.2.3.4 #Your IP Here
#If you want to use a combination of password and IP protection
#This directive works if they have a valid IP OR a valid user/pass
Satisfy any
Related
I protected an entire Wordpress site with an .htaccess in the /var/www/html direction containing the following regular authentication:
AuthName "Restricted Admin-Area"
AuthType Basic
AuthUserFile /var/www/html/.htpasswd
Require valid-user
However, now my boss asks me to unprotect just one page of the Wordpress site (specifically /subscription):
When we access www.site.com/subscription : no authentication is asked
When we access the rest of www.site.com : an authentication is asked
So I added the following as an exclusion:
SetEnvIf Request_URI "(subscription/)$" allow
SetEnvIf Request_URI "(subscription)$" allow
Order allow,deny
Allow from env=allow
Satisfy any
The problem though, is that for this exclusion to work, the subscription/ directory must exist "physically" on the server.
But it is a Wordpress page, generated automatically following index.php contained in the Wordpress database.
Therefore, the exclusion does not work and I'm asked an authentication when accessing this page.
I've looked for hours and tried to modify tons of things (even creating a subscription2/ directory pointing to subscription), but nothing worked.
Please can you help?
Thank you!
I have the directory structure
folder
↳file1(public access)
↳file2(require password)
When I put the following in the .htaccess:
AuthType Basic
AuthName "asdf"
AuthUserFile path/to/.htpasswd
<Files file2>
require user asdf
</Files>
A non-logged in view shows this structure:
folder
↳file1(public access)
How do I provide the non logged in user visibility to file2 so that they know that the file is in fact there, but may have to log in?
In this simple case, I believe you can employ IndexOptions ShowForbidden.
If you get more complicated (like an auth covered directory or you want to show some forbidden but hide the rest), you'll have to resort to other methods (eg, generate your own index then show it, like in #Fred-ii- answer).
In addition to an already given answer (a good option), you can place this in your .htaccess file
ErrorDocument 401 error401.htm
and create a page called error401.htm with anything you want inside it.
That, being in the root of your server.
Use something like:
ErrorDocument 401 /folder/error401.htm
if placed in a different folder.
It could also be 403 depending how you set it up.
The complete list of ErrorDocument(s) are:
400 - Bad request
401 - Authorization Required
403 - Forbidden directory
404 - Page not found
500 - Internal Server Error
Of course, you can use .php as the preferred file extension and I'm leaning more towards using a 403 which is for Forbidden directory
Footnotes:
In some cases, you may need to use a full http:// call:
ErrorDocument 401 http://www.example.com/error401.htm
Here's my .htaccess file:
AuthType Basic
AuthName "LOG IN"
AuthUserFile .htpasswd
Require valid-user
After logging in, I get a 500 error. If I clear the .htaccess file, it works fine.
Any ideas?
I think you have to write the full path to your .htpasswd (on linux: /path/to/.htpasswd)
From http://weavervsworld.com/docs/other/passprotect.html
Troubleshooting
Make sure that the path specified in AuthUserFile is the correct full
path. This is a major cause of problems. If Apache cannot find the
.htpasswd file, then all attempts will fail.
Make sure the permissions
on the .htaccess and .htpasswd files are set so that Apache can read
them. chmod 0644 .htaccess chmod 0644 .htpasswd
Other issues may be
out of your control. Web administrators can lock down Apache so that
it ignores all .htaccess files it encounters. This can be achieved
with an AllowOverride None directive and option on the
ServerRoot/DocumentRoot directories. If this is the case (.htaccess
not allowed) you will have to kindly ask your web administrator to
allow .htaccess files with authorization directives in your personal
web directory. This can be achieved with AllowOverride AuthConfig
directive and option.
Important : Full path to .htpasswd refers to the real full path if you are using terminal than use
maddy#maddy:/var/www/html/project_name$ pwd
/var/www/html/project_name
File In /var/www/html/project_name/.htaccess
AuthType Basic
AuthName "My restricted Area"
AuthUserFile /var/www/html/project_name/.htpasswd
Require valid-user
File In /var/www/html/project_name/.htpasswd
someuser:$apr1$oi0zg2sf$jTagKK2S7StjC0WSVJLUH0
To generate user: password combination refer
1) http://www.htaccesstools.com/htpasswd-generator/
2) https://www.web2generators.com/apache-tools/htpasswd-generator
Not tested
https://www.gaslampmedia.com/generate-htaccess-password-htpasswd-from-the-command-line/
Since this question scores high in Google, I thought I'd append steven's answer a bit:
Full path to .htpasswd here refers to the real full path, not the path you see via ftp. For example, when I login to my shared hosting account with ftp, it seems my web root lives in /public_html
However that's just because how the ftp server is set up. The actual path to my web root is /home/username/public_html and setting the AuthUserFile keeping that in mind resolved the issue, at least for me.
I found the missing piece of information on the Webmasters site after some more googling.
If you use php and get Error - 500
A good shot is:
create a php file 'info.php' with content:
<?php
phpinfo();
Enter in this url in your browser
In Apache Environment
Look for DOCUMENT_ROOT
Get this content Ex: 'C:/wamp/www/'
And update your .htaccess:
AuthUserFile 'C:/wamp/www/.htpasswd'
Note: The question contains "After logging in" and the answers are not for that case.
I've ran into the same issue:
set up the authentication just as in the question
open the site in a browser
the login window pops up, I authenticate successfully
all subsequent requests result in 500
the access log shows the response was 500 but nothing in the error log
In this case the parent directory of the htpasswd file was not readable to the user running Apache. Apparently the first authentication is served using root credentials and subsequent ones (checking if the auth is still correct?) done by the user running Apache.
I have been toying with http authentication using the .htaccess file in an attempt to better my current cms.
I have found a solution in apache whereas, I use a link in my html somewhere Test.
I then add this to my .htaccess:
<Files .test>
AuthType Digest
AuthNAme "Restricted Page"
AuthDigestProvider file
AuthUserFile /usr/home/myDomain/includes/htpasswd/admin/.htdigest
Require valid-user
# If user is authenticated then redirect
RewriteEngine on
RewriteCond %{REMOTE_USER} !=""
RewriteRule ^.*$ /test.php? [R]
</Files>
What this does, is when a user clicks on the mentioned hyperlink, the user is then prompted with a login form via http authentication. When they enter the correct credentials, they are redirected to a page in the accessable root called test.php, which in turn includes the cms index that is held out of the web root.
If a user selects a section within the cms, they are prompted to log in again (using the sites default php based log in system) and only users with the correct role assignments may access any specfic section.
Although this is useful, it is not quite what i am trying to accomplish.
What i have thought of, is two possible solutions in my case.
One would be where a user could enter say http://www.myDomain.com/?whateveryoulike in the address and be directed to my cms instead. Ideally this redirection would direct straight to my cms index in its' root directory that is not accessable via http://. Something like this which can be done in php:
if isset($_GET['whateveryoulike'])
{
include $_SERVER['DOCUMENT_ROOT'] . '/../../admin/blah.php';
}
Another option i thought of would be something i do not know very much about, but it relates to http authentication and i have seen in use once before...
Basically the user enters username#www.myDomain.com and they get prompted with the http auth log in box. When the credentials are met, they are sent to a seperate section within the website.
Would anyone be able to provide any input, suggestions or addittional ideas relating to how i would go about this?
My question though, is if it is possible to actually catch a GET (http://www.myDomain.com/?whateveryoulike) apply http authentication then redirect the user to a page that is held out of the http:// root?
Thank you for taking the time to read through this!
it is possible to actually catch a GET, apply http authentication then redirect the user to a page that is held out of the http:// root?
No.
The reason is possible fraud, which was used some years ago.
Since then browsers refuse to authorize users silently.
I see no point in the whole enterprize at all, though.
how i can protect folder which includes uploaded files?
i have folder include all files which uploaded by me, i want if user try to change url or pass to show all files, browser redirect him to another page like this example
www.tet.php/folder/text.doc
if user try to write (www.tet.php/folder) to show all files redirect him automatically to www.tet.php
or any one please tell me tricky way to disappear /folder/
I don't know php but one solution I am thinking about and don't know if php can handle or not:
You can put your “UsersUploads” folder outside the website directory, so if your website exist on “c:\website\example.com” you can put the “UsersUploads” there “c:\UsersUploads”, Like that Your web server has no control over this folder and its files, And your website code will still have access to this directory as a normal physical path.
If you use Apache, you have 2 solutions:
Move your uploaded_files folder out
of your DocumentRoot (the root of the
folders that are accessible from the
web).
Use an .htaccess file in that folder
to block access to this folder.
A little example of an .htaccess using an authentication to access to the folder:
AuthName "Page d'administration protégée"
AuthType Basic
AuthUserFile "/var/www/uploadedfiles/.htpasswd"
Require valid-user
If you use IIS then you have just to deny access to that folder for everyone through your IIS Administration console. You also can deny any access except for certain IP adresses or adressranges.
Just to expand on #Clement's answer to include the part about redirecting to a page on failure:
AuthName "Page d'administration protégée"
AuthType Basic
AuthUserFile "/var/www/uploadedfiles/.htpasswd"
Require valid-user
ErrorDocument 403 www.urlToRedirectTo.com
Also, .htpasswd should be placed outside of the web root, and should simply contain username:pasword. The password should be hashed. You can easily find utilities online to create these files for you.