I know this is a common question, but I just can't figure out how to do it.
After many unsuccessful attempts, dozens of tutorials and SO posts I gave up and decided to ask a new question here.
So, this is what I have:
a vary basic file host without the ability to alter any Apache settings
a subdomain provider
following file and directory structure:
-root
|-subfolder1
|-subfolder2
|-subfolder1
|-index.html
|-somescript.php
Now I just want to protect the folder "subfolder2" and all of its contents.
I managed to protect a subfolder of a subfolder of the root directory, but not a subfolder within the root directory itself.
I am totally lost.
Please, can anybody help me out?
If I understood your question you want to forbid the access to any URL which has subfolder2 in it, if this is the case then please try placing these rules into your .htaccess file. Please make sure you clear your browser cache before testing your URLs.
RewriteEngine ON
RewriteCond %{REQUEST_URI} subfolder2 [NC]
RewriteRule ^ - [F]
WOW!
Your code was not needed.
All I had to do was clearing the cache and cookies and then the login prompt popped up. That simple.
Thanks for your effort though!
BTW. this is what I have done so far:
file and directory structure as follows:
-root
...
|-subfolder2
|-subfolder1
|-.htaccess
|-.htpasswd
|-index.html
|-script.php
.htaccess file:
AuthType Basic
AuthName "Protected Area"
AuthUserFile /users/XYZ/root/subfolder2/.htpasswd
Require valid-user
.htpasswd file:
MrX:$blah1blah2blah3.some.encoded.password
Cleared browser cache and cookies.
Now when I go to http://XYZ.domain.com/subfolder2 the "login" prompt pops up and that's all I needed.
There's no secret or vulnerable data in this folder, I just don't want bots and crawlers to browse it.
Many thanks anyway
stay safe and have a nice pre new years eve time
Related
Disclaimer: I have little to no knowledge of Apache, all the information posted here was pieced together from Google search results only, within 1 night.
--
I can't seem to get .htaccess to block only the sub-directories of my domain, could someone please help me?
My root domain: http://domain.com (/home/username/domain/)
The directory I'm trying to block is /home/username/domain/files/
In the /domain/ directory, I have modified the .htaccess file accordingly:
# Password Protect Directories #
AuthName "You shall not pass!"
AuthType Basic
AuthUserFile /home/username/domain/files.htpasswd
require valid-user
# END Password Protect Directories #
The problem is, this seems to password protect my root directory as well as the sub-directory specified.
--
I've tried moving this .htaccess file entry into a separate .htaccess file in the /domain/files/ directory, but then this doesn't work at all, nothing is password protected.
I'm not quite sure what I'm supposed to be doing here, I've read dozens of tutorials online, but none seem to help me beyond password protecting my entire root directory.
--
Can someone please explain to me how I can block multiple sub-directories only?
/domain/files/
/domain/software/
/domain/pictures/
etc...
Thanks!
--
Alternately, if anyone knows a better way to accomplish this, feel free to let me know.
There really is nothing to the authentication. You need to put the code in the .htaccess file in the sub-directory you want to protect. Also I would not put my password file in a publicly accessible location. Put it outside the root like in your home folder. So this code should go in your files folder.
# Password Protect Directories #
AuthName "You shall not pass!"
AuthType Basic
AuthUserFile /home/username/.htpasswd
require valid-user
# END Password Protect Directories #
Make sure apache can read your .htpasswd file and the correct ownership and permissions. Also try and clear your browser cache to test. I've seen that many times that it appears to not work until I clear the cache and then I get the prompt.
I'm totally new to XAMPP and I'm trying to set up the security for it as best as possible. I understand that it is beneficial to create an .htaccess file to password protect certain directories. There is a page/script that is built into xampp available at http://localhost/security/xamppsecurity.php that will generate one for you in the /htdocs/xampp directory. However, after I've gone and done this, I'm still not prompted for a password when I visit my site at http://localhost/xampp. I thought I should've been prompted for a username and password here? This is a difficult problem to search answers for so I apologize if this has been answered already.
I've made sure to close/re-open my browser and delete all history/cache/cookies. I also restarted the Apache service after creating the htaccess file.
the .htaccess file:
AuthName "xampp user"
AuthType Basic
AuthUserFile "C:\xampp\security\xampp.users"
require valid-user
C:\xampp\security\xampp.users is a valid file and it contains the username I setup and an encrypted password.
Try to copy your .htaccess file to the htdocs directory:
C:\xampp\htdocs\.htaccess
I hope it works ;)
Looks like .htaccess doesn't work on the htdocs\xampp directory.
in my htaccess I have below code which is used to save admin* area.
If I give wrong username password it keeps poping up for correct usrename but if I press cancel I can see my restriced area instead loading error page, what is wrong? thanks
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /home/mydirectory/.htpasswds/.htpasswd
AuthGroupFile /dev/null
<Files admin*>
require valid-user
</Files>
Your .htaccess doesn't protect for anything else than admin*.
If you have auto index option enabled for example, it doesn't match the pattern (but having DirectoryIndex set to adminindex for example do so).
Maybe the authentication prompt is related to a resource needed by the page (JS, css, image, favicon) and not the page itself.
Could you try to inspect HTTP response using curl or apache logs ?
This might give you a hint.
curl -vso/dev/null http://localhost/test/
I had this same issue. For me the problem was a RewriteRule in the htaccess folder in a directory above the one that was password protected.
I resolved my issue by adding RewriteEngine off to the top of the htaccess in the folder I was password protecting.
I found that this behavior occurred when .htaccess was present in the parent directory but not in the actual directory being accessed. Placing another .htaccess file in the directory being accessed stopped this behavior.
If you're using wordpress, it's a known issue. Solution here
I have a directory with a bunch of files in it & I don't want anybody to be able to access these files by either getting a directory listing or by guessing the file location & typing it in.... it should NOT allow them to download it.
I accomplished this by putting the below in my .htaccess file:
Options -Indexes
Order Allow,Deny
Deny from all
However, I want the user to be able to download the file ONLY IF they access it via a script (which is in a different directory) which will give them the download. At the moment with the above settings it doesn't work.
I thought of putting something like..
Allow from domain.com
But I'm not 100% sure what that means? Does that check where the REQUEST is coming from & hence it would work if the server requests access to that dir? ...or would it still not work as the user is still using the domain via the other script to access the dir?
If you dump the files with an "script" you can store your files outside the documentroot. So you need no htacces file.
Perhaps this is a better workaround.
One way is to redirect the user say to your home page when they try to access your downloadable files inside the folder sec_files in this example.
I researched on this when one of my clients who purchased secure download links a codecanyon product asked for a solution to protect a folder that contained images or downloadable.
the .htaccess code is below. this .htaccess file is placed inside the sec_files i.e downloadable files folder.
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/~sec_files/ [OR]
RewriteCond %{HTTP_HOST} ^www.satyamtechnologies.net$
RewriteRule ^(.*)$ http://www.satyamtechnologies.net [R,L]
See how it works when you access here, it will redirect you to home page but when you access it through a php script here it will let you download the same files.
I have a project that has .htaccess Authentication but i want to remove it for a certain assets folder.
i tried adding a htaccess in that folder with :
AuthType none
Satisfy Any
Allow from All
Order Allow, Deny
but it doesnt seem to work :(
Any thought on this. Thank you so much
Edit
The directory i am trying to unprotect is not a real directory, but a rewrite rule.
I dont have access to httpd.conf
Without seeing your full .htaccess I'm guessing, but what about something like this:
RewriteEngine On
RewriteRule ^assets/ - [E=allow-assets:1]
Allow from env=allow-assets
That could go in the .htaccess of the parent directory, not assets.
You could possibly do this if you have access to /etc/httpd.conf -- do you?