How should I go about securing my Content Management System? It's entirely self-contained in a folder on the server, but I'm unsure about how to make it secure. Obviously, it's a pretty sensitive thing. I'd prefer not to use PHP, but if that's the only option then that's okay.
Thanks for any help on the subject.
You can use apache .htaccess to protect access to files with password.
For example
<Files administrator.php>
AuthType Basic
AuthName "Enter the password"
AuthUserFile /path/to/file/.htpasswd
Require valid-user
</Files>
You have to generate a .htpasswd file with username and password hash (http://www.web2generators.com/apache-tools/htpasswd-generator), place in a directory not visible from web and change the path in AuthUserFile.
If your CMS is stored in a folder on a server, you can create security on the folder level. Try right-clicking the folder and choosing 'Security' tab and set the appropriate permission.
Cheers.
Related
I want to password protect a directory on a web server. I make the .htaccess and .htpasswd files and everything works.
What if some day, the admin comes along and sets "AllowOverride None" in httpd.conf? Does that immediately make all of my secrets visible to the whole wide web?
Is there another way to password protect files on a web server without having to store a password in plain text and doesn't leave the protection at the mercy of an admin?
Place the files outside of your webroot and use a serverside (scripting) language like php or python and make/use a login system. The script can access to your files outside your webroot and send it to your browser.
I want to add a "admin log in" link to my website, where an admin can log in (using htaccess) and gain access to some hidden HTML elements. The idea is to use SSI to check if the REMOTE_USER is an admin,
<!--#if expr="$REMOTE_USER = 'admin'" -->
Edit entry
<!--#endif -->
then, the script edit.cgi also checks that the user is in fact admin, otherwise exiting.
The problem is, how can I do this such that guests don't see the login prompt? My idea was to set up htaccess in some subdirectory (eg ~/admin) and then have a link to a separate login page:
Click here to log in
This works for ~/admin/index.shtml (it "sees" REMOTE_USER=admin), but "outside" admin/ (eg. in ~/index.shtml) REMOTE_USER=(none).
My .htaccess file looks like this.
AuthName "Admin log in"
AuthType Basic
AuthUserFile /path/to/web/admin/.htpasswd
Require valid-user
My website is hosted on a standard web hosting service, so the things I can tweak is somewhat limited...
I have a portal with Login Authentication and after the user login to the website we are providing few links to the HTML files. This works perfect.
My concern is User's are able to access the HTML files without logging to the portal. I will not be able to convert the file to PHP as these files are huge and will be modified and updated regularly.
Please suggest how i can restrict the direct access to the HTML if the user is not logged in.
Tx
Suneel
Use .htaccess file to restrict access and authenticate user, then put your HTML files in subfolder related to location of that .htaccess file (so its restrictions would also apply). For example, you create .htaccess file with content like this:
AuthName "Enter password"
AuthType Basic
AuthUserFile /path-to-folder/.htpasswd
Require valid-user
then you create .htpasswd files which holds logins and password hashes. It will look like this (one line per user):
userlogin:8OytGCYCAPbS6
You can use some online .htpasswd generators like this one
I need to find a way to force Apache to ask users for credentials for each ressource they ask for under the root of my website.
This is my .htaccess content at the moment:
<Directory /var/www/vhosts/abcd>
Dav On
AuthType Basic
AuthName "private"
AuthBasicProvider external
AuthExternal auth
require valid-user
</Directory>
(This will call a Php script defined by auth.)
I want the user to authenticate again for each different ressource he might want to get, but keep the authentication alive when he successfully authenticate for a specific ressource.
Maybe I miss something about how I'm supposed to do this in an "Apache logic", anyway, any help will be apreciated !
Thanks.
Edit:
I misunderstood the way Apache authentication worked. I supposed that when someone was authenticated, he didn't need to authenticate again for any ressource under the same directory, but that's not true. If my PHP script use the current URI of the file requested, I can return a different status code depending one the right for someone to access it or not, even if he was granted access to the root for example.
Annoying the user every time he access a different resource is...well...annoying. Rather use an ACL (Access Control List) that your php auth script checks and denies access if the user doesn't have the correct permissions.
You're using basic authentication. So the browser is practically "authenticating again" for every request it makes: it remembers the authentication user/pass you entered end sends it with every request afterwards.
Can you please explain why you would want users to authenticate again and again? It might help us find a solution to your problem...
So I have a development site setup running Drupal. I've locked the site down with basic HTTPAuth + htpasswd to keep out baddies.
The problem is that a single node, a webform, needs to be accessible on this dev site from the live site.
My question is: because of Drupal's convoluted bootstrapping process how would I go about allowing access to only this single file/URL?
My vhost config for htpasswd:
<Directory />
AuthUserFile /var/www/.htpasswd
AuthName "my radbad dev site"
AuthType Basic
Require valid-user
</Directory>
I've tried something like the following without success:
<Location "/node/1334">
Allow from all
Satisfy any
</Location>
You can't do it like that, because the webform isn't a file, it's dynamically generated from info you gave Drupal (which it put in the DB). All Drupal URIs (apart from your uploaded files) are index.php sending you to the right place. There's no way to tell httpauth that sometimes index.php may be accessed freely and sometimes it requires auth.
There are several options for controlling access via a Drupal module, or (if your live site is Drupal) you could just give it the same webform, but no amount of tweaking around with httpauth will solve your problem.
<Location>-directives are applied after .htaccess is processed. This means, mod_rewrite already did its thing an the URL is now /index.php?q=node/1334. This is bad, because <Location> cannot be used for configurations based on the query string. See <Location> directive and How the sections are merged for details.
You will have to come up with a totally different solution, like making the Drupal database available under some other URL, that is not accessible from outside.
If you want to go the HTTP authentication route, consider the Secure Site module instead of editing .htaccess and creating a .htpasswd file. That's an error-prone process, while Secure Site gives you a form which you can use to type in a path you want excluded from securing. Even better, it uses the Drupal authentication system, so you can deny/allow people to the site based on Drupal roles and permissions.