what is the most secure way to password protect admin files/folders?
im on apache/php
The most secure way is to keep it off the internet alltogether ;-)
But irony aside, I'd suggest using .htaccess. Simple and requires no programming effort from you.
http://www.htpasswdgenerator.com/apache/htaccess.html#8
An alternative to the htaccess method is to put the files that should be protected outside the web-root - somewhere where a typical HTTP request can't reach them - and have PHP relay them back to the client as needed.
This is useful in situations where you need more control over the process than Apache gives you. Like, say: if you wanted to integrate this with your PHP application's member functionality; allowing members that have already logged in access to the files while denying access to others.
Create a .htaccess and .htpasswd with one of the 10000 .htaccess generators out there and use the htpasswd included in most distros to add users to the .htpasswd.
Securing admin folder with HTTP Authentication (.htpasswd & .htaccess)
Navigate to http://aspirine.org/htpasswd_en.html to generate
username and password in an encrypted form
Eg:
username: User_name
password: Mypassword
Result will be depending upon your selected hashing algorithm
Eg.:
User_name:TX9D66ksKUR0o
Save this in “.htpasswd” file
Creating a “.htpasswd” file on your web server other than the /public_html
directory. Preferably one directory above it in the /home folder which would
store the username and password in an encrypted form for the HTTP
authentication.
Add the following code to the .htaccess file inside the /admin
folder on your server. Do not forget to put the correct path of the
.htpasswd file in the following code snippet:
AuthType Basic
AuthName "Your_Name"
AuthUserFile path-to/.htpasswd/file
Require valid-user
AuthName "Authorisation Required"
require valid-user
# IP
# order deny,allow
# deny from all
# allow from xxx.xx.xx.xxx
Related
I'm absolutely unknowledgeable of Apache .htaccess language and to be frank, I presently don't have time to look into it.
I have divided my website to following directories:
/My-Website
/admin
/public
To me, it seems like a good practice to separate the administration portal from the public website with distinctive folders. Admin is where the administration updates the contents and public is, well, public.
However, this way, I face two key problems:
I have somehow configured .htaccess to redirect all URLs to /public directory. But I want an exception to the /admin directory. Meaning that when the user enters mywebsite.com, it should redirect to /public automatically but not when the user enters mywebsite.com/admin. I'm not sure if .htaccess would have the solution or PHP, but am welcomed to both.
In my admin directory, I have JS files and other xml lying around in the admin directory. Did a test, found out that the users can access all the files in the admin directory by explicitly going to for example: mywebsite.com/admin/may_be_sensitive.xml without authorization. How can I tackle this?
I'm quite open to suggestions even if it means that I need to re-organize my entire website in a different structure.
You don't need any redirection.
/public should be the root, so the public portion of your website would be visible at https://example.com
/admin should be a subdirectory off public (your webroot) like https://example.com/admin, and should be secured with an appropriate authentication process like basic auth, a one-time token or some other form of secure auth.
It's possible to secure the admin folder with a .htaccess file but it's more secure to do in the server configuration file if you have access to it.
From: http://httpd.apache.org/docs/current/howto/auth.html
<Directory "/usr/local/apache/htdocs/secret">
AuthType Basic
AuthName "Restricted Files"
AuthUserFile "/usr/local/apache/passwd/passwords"
</Directory>
The password file is created with the htpasswd utility.
I have a need to password protect an entire website. I am developing on a live URL (don't ask me why -_- clients...) and I want to be able to develop the site but access it using a username and password so the general public won't be able to see the site being modified.
I've tried to use a .htaccess and .htpasswd file in the same directory.
Here are the contents of it
AuthUserFile /htdocs/.htpasswd
AuthGroupFile /dev/null
AuthName "Development space"
AuthType Basic
Require development
and the .htpasswd file contains the user development:encryptedpassword
It doesn't appear to be working at all. The password box is generated but just carries on coming back up once I enter the credentials (I have confirmed they are correct).
Can anyone tell me where I'm going wrong?
Please note both the htpasswrd and htaccess files are currently within the htdocs directory
htdocs file permissions are drwxr-xr-x
Your Require line is wrong. It should be:
Require user development
^^^^--missing
Require can require many different things (env vars, http methods, groups, blah blah blah), so you have to say WHAT kind of thing you're requiring. You might be better off with just
Require valid-user
unless you're going to have multiple accounts in your .htpasswd and want to allow only certain ones.
I am attempting to lock a file out for me only (it's a log, and I don't want users to see it).
This is my .htpasswd:
foo:bar
And this is my .htaccess:
AuthUserFile /home/kapip/public_html/.htpasswd
AuthType Basic
AuthName "This is allowed for admin purposes only"
<Files "users.log">
Require valid-user
</Files>
Even if I put in the correct password after the dialog, the dialog just flashes as if the request was sent, and then it pops up again. No matter what I put in, I can't see my file.
Some Specs
I'm on shared hosting
The .htpasswd, .htaccess, and log file are in the same directory
Even if i change users.log to users.txt, it still doesn't work
If I click "cancel" when it asks for credentials, it gives a 401 Response
Please help me! :(
Did you run htpasswd -c on your password file? It's normally a hash and not a plaintext password. Take a look at the htpasswd man page.
EDIT:
If you don't have shell access, you can create your htpasswd file using the htpasswd generator and the copy the file to your shared host. You should be able to use cPanel's FileManager.
One thing that I would suggest though: You should NOT put your htpasswd file in your public_html directory, people will be able to access it via http://your-domain/.htpasswd which is VERY BAD
i want to deny access (from all non-logged in users) to all the files in a directory from the browser.
Only a logged in user can access his files in that folder. The file paths are stored in the database with the logged in user id, so that when the user logs in, he can view or download only his files.
So i dont want others (without logging in) to access the folder and files from the browser, and secondly, i want the users to be able to view only their files in the folder.
I think, Second thing i can do with some condition checks in php, but for the first one, can anyone tell me the htaccess rule to achieve ?
Thank you
dont show them the actual folder path where their files are stored.
Use a php file to fetch the downloadable content.
eg :- download.php?file=mydocument.doc
Cons :
Might be slow
No Download Resume support (I guess)
For the part of .htaccess user access you can take a look here at the .htaccess Password Generator
You can disable default directory browsing using .htaccess.
Open your .htacces file
Look for Options Indexes
If Options Indexes exists modify it
to Options -Indexes or else add
Options -Indexes as a new line
The directory browsing feature should be disable by now
There's article, which describes access control feature of Apache web server thoroughly: http://httpd.apache.org/docs/2.0/howto/auth.html
The easiest variant looks in the following way:
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /usr/local/apache/passwd/passwords
BTW, this part:
Only a logged in user can access his
files in that folder. The file paths
are stored in the database with the
logged in user id, so that when the
user logs in, he can view or download
only his files.
will require either creation of separate password files for each folder, or some additional scripting.
There are some known issues with this approach:
Basic authentication scheme sends passwords as a clear text, which is not good if your site is accessible by HTTP (not HTTPS). There's also Digest authentication type, but there were some problems with browser support
Logout operation will require browser closing
Generally, I'd recommend:
Apache built-in capabilities - for simple access control without detailed users privileges/rights configuration
Custom access control by means of some web programming tools - for authentication scheme with supposed priveleges/rights configuration. There are many web development frameworks, which provide access control feature.
thanks for your replies, between i found a code snippet that is working just fine.
I inserted the following lines in my .htaccess file:
Order deny, allow
deny from all
I have a structure like this:
/home
/home/dir1
/home/dir2
Now when someone goes to /home, he is asked for username and password (in a form) and I set session information in PHP for the remaining files of /home. Now /home/dir1 and /home/dir2 are protected by htpasswd but the same username and password. I dont want the user to re-enter their username and password again when they go to /home/dir1... Also when I logout from /home, I want to logout from /home/dir1 also. Can you please advice on how to achieve this?
This should be the default behaviour.
That is, if you are using Apache and .htaccess files to set up HTTP authentication, any rules you apply to a directory will also apply to its child directories, and it will be treated by the browser as all one login.
If you want it to act differently, ie if you wanted some sections of the site to be treated as requiring a completely separate login, you would specify a 'realm' for each section using the AuthName directive in .htaccess. More information here. However, if you don't do that, it will always be treated as all part of the same login.
The thing about HTTP authentication is that there is no way to 'log out', at least not unless the browser provides that feature. The only way most browsers will allow you to log you out is by ending the browser session (ie closing the browser). And yes, once you do this, you'll be logged out of /home, /home/dir1, /home/dir2 and all directories on all sites/realms.
In Apache as long as both folders have the same AuthName and are on the same site they should share a password.
Both directories might have a .htaccess file like so:
AuthName "My Protect Folder"
AuthType basic
AuthUserFile /somewhere/htusers
require valid-user