I'm trying to protect my PrestaShop 1.6 admin directory via cPanel - Password Protect Directories, and when I enable the protection and try to access admin throw URL I'm redirect to 404 page not found.
I have other websites with directory protection and I don't have this problem.
cPanel password protect should work but it is difficult to say why it is not working. But there is an alternative way. Instead of password protection, you can restrict admin area using .htaccess. Just add following in .htaccess of your admin area:
Order Deny,Allow
Deny from all
Allow from 11.22.33.44
Allow from 12.34.56.78
You can add IP range or individual IPs.
Related
Have an MediaWiki page, that provide an information about some software and products. Is not used for discussions, and only one admin can create pages. I prevent users to create own accounts, and is working fine.
As a bit of higher level of security, I will like to restrict login to admin panel from just one specific IP address.
For WordPress, I do it in Apache2 at next way:
<Directory "/opt/htdocs/www.xxxx.xxx/wp-admin">
Require all denied
Require ip a.b.c.d
Require ip e.f.g.h
</Directory>
How can I do the same, but with MediaWiki?
I'm trying to enable access to a specific URL /a/b for an IP address which otherwise has no access at all to the web site. I'm using Apache httpd server version 2.4.
The web application is primarily served by invoking the URL /a. I don't want to give this particular IP address access to the main application at /a, but only to one specific page at URL /a/b.
I added this to the configuration file:
<Location "/a/b">
Require ip xxxx.xxxx.xxxx.xxxx
</Location>
but access to /a/b from the IP address doesn't work, with this error message being logged to the error_log file:
AH01630: client denied by server configuration: /var/www/a
Access to /a/b only works if I grant permission also to the /a URL with the following added:
<Location "/a">
Require ip xxxx.xxxx.xxxx.xxxx
</Location>
But this means that the IP address has access to /a, which is the URL for the entire application.
It seems that Apache won't grant access to the IP for the /a/b URL without it also being given access to /a, which I don't want to do.
Can anyone tell me how to grant access to the URL /a/b without also granting access to /a? Thanks.
Is there any module or code to ban/Block an IP from accessing my site after 5 attempt to the reset the password section in Prestashop? Recently my site had an attack from a specific ip at least 20000 times. They accessed my sites reset password reset form.
You should ask your hosting about this they must have an monitor on this section meaning that the server will automaticly block these attempts ( in the firewall )
You can use .htaccess file if you know which IP you want to ban (first line not mandatory) :
Order Deny,Allow
Deny from 1.1.1.1`
After hours of searching the web and trying dozens of unsuccessful solutions - here is my question.
I'm currently configuring a webserver on RHEL 6.4 and httpd 2.2.15 behind another RHEL 6.4 server using squid 3.1.10 and HTTPS only. I'm also using mod_rpaf to simplify logging and identification of visitors behind the proxy.
My problem is to configure a simple password protected folder. When I try to access the folder, the password dialog pops up with the configured AuthName. So I know that the .htaccess is being parsed. But the dialog does not accept the correct credentials and gives me an error 401.
I messed around with:
different permissions for .htaccess, .htpasswd and parent folders
different absolute locations for the .htpasswd
all activated Apache modules that are available on my system
different encryption algorithms for .htpasswd (crypt, md5, sha, salted sha...)
AllowOverride All on the protected and parent folder
But what I really do not understand that even if I put a wrong location for AuthUserFile there is no error message in Apaches error_log like the well known Permission denied: Could not open password file. Even on LogLevel debug Therefore I think that something is wrong with that Directive AuthUserFile.
I hope there is someone out there knowing better methods to identify the problem.
This is my simple .htaccess I'm using for testing:
AuthType Basic
AuthName "Test123"
#AuthUserFile /var/www/test/.htpasswd
AuthUserFile /notexisting
Require valid-user
Finally I got it to work!
I tracked the error down to the squid reverse proxy by using lynx on my webserver and successfully accessing the protected folder from there.
With my new focus on squid I started googling again. Already the first link took me to the correct answer: squid did not allow the apache to handle user authentication.
Resulution:
Add login=PASS to the cache_peer command in your squid.conf
I have a directory on my website that I need to make sure no one but myself can get into. From the reading I've done, it looks like there are two ways to protect a directory:
Password protect the directory using the .htaccess file
Deny access to all IP addresses but my own from accessing the directory, also using the .htaccess file
I need to protect the files in the directory as securely as possible, so I figured I'd use both of those methods for double protection.
Question 1: Am I missing anything? (i.e. is there another layer of protection I can add?)
Question 2: What would I need to put in a .htaccess file to get the above to work?
Your .htaccess file would contain:
AuthUserFile /usr/local/nate/safe_place/.htpasswd
AuthGroupFile /dev/null
AuthName "Protected Files"
AuthType Basic
require user nate
order deny, allow
deny from all
allow from 127.0.0.1
The .htaccess file goes in the directory you're trying to protect.
You also need a .htpasswd file (shown above as /usr/local/nate/safe_place/.htpasswd) which contains the text username:password_hash. So if we use "nate" as an example and "secret" as the password (please don't use that) you get:
nate:XmN6pwFyy3Il2
You can use this tool to generate your own password file: http://www.tools.dynamicdrive.com/password/
Just make sure that no one can read your .htpasswd file. Also note that basic authentication does no encryption by itself. If you're on an open network, anyone can see your password and all the secret data going over the network. Make sure you visit your site via https if it's really that secret.
You can read more about .htaccess files here:
http://www.javascriptkit.com/howto/htaccess.shtml
Assuming you're running Apache and have an AllowOverride directive permitting .htaccess files to use <Limit>, the following should be a good starting place for you:
<Limit GET>
Order deny,allow
Deny from all
Allow from IP_ADDRESS_HERE
</Limit>
More documentation on <Limit>: http://httpd.apache.org/docs/current/mod/core.html#limit
and for access control: http://httpd.apache.org/docs/2.2/howto/access.html