Blocking a sub directory with .htaccess file in Apache - apache

Disclaimer: I have little to no knowledge of Apache, all the information posted here was pieced together from Google search results only, within 1 night.
--
I can't seem to get .htaccess to block only the sub-directories of my domain, could someone please help me?
My root domain: http://domain.com (/home/username/domain/)
The directory I'm trying to block is /home/username/domain/files/
In the /domain/ directory, I have modified the .htaccess file accordingly:
# Password Protect Directories #
AuthName "You shall not pass!"
AuthType Basic
AuthUserFile /home/username/domain/files.htpasswd
require valid-user
# END Password Protect Directories #
The problem is, this seems to password protect my root directory as well as the sub-directory specified.
--
I've tried moving this .htaccess file entry into a separate .htaccess file in the /domain/files/ directory, but then this doesn't work at all, nothing is password protected.
I'm not quite sure what I'm supposed to be doing here, I've read dozens of tutorials online, but none seem to help me beyond password protecting my entire root directory.
--
Can someone please explain to me how I can block multiple sub-directories only?
/domain/files/
/domain/software/
/domain/pictures/
etc...
Thanks!
--
Alternately, if anyone knows a better way to accomplish this, feel free to let me know.

There really is nothing to the authentication. You need to put the code in the .htaccess file in the sub-directory you want to protect. Also I would not put my password file in a publicly accessible location. Put it outside the root like in your home folder. So this code should go in your files folder.
# Password Protect Directories #
AuthName "You shall not pass!"
AuthType Basic
AuthUserFile /home/username/.htpasswd
require valid-user
# END Password Protect Directories #
Make sure apache can read your .htpasswd file and the correct ownership and permissions. Also try and clear your browser cache to test. I've seen that many times that it appears to not work until I clear the cache and then I get the prompt.

Related

htaccess and htpasswd protect a root subdirectory

I know this is a common question, but I just can't figure out how to do it.
After many unsuccessful attempts, dozens of tutorials and SO posts I gave up and decided to ask a new question here.
So, this is what I have:
a vary basic file host without the ability to alter any Apache settings
a subdomain provider
following file and directory structure:
-root
|-subfolder1
|-subfolder2
|-subfolder1
|-index.html
|-somescript.php
Now I just want to protect the folder "subfolder2" and all of its contents.
I managed to protect a subfolder of a subfolder of the root directory, but not a subfolder within the root directory itself.
I am totally lost.
Please, can anybody help me out?
If I understood your question you want to forbid the access to any URL which has subfolder2 in it, if this is the case then please try placing these rules into your .htaccess file. Please make sure you clear your browser cache before testing your URLs.
RewriteEngine ON
RewriteCond %{REQUEST_URI} subfolder2 [NC]
RewriteRule ^ - [F]
WOW!
Your code was not needed.
All I had to do was clearing the cache and cookies and then the login prompt popped up. That simple.
Thanks for your effort though!
BTW. this is what I have done so far:
file and directory structure as follows:
-root
...
|-subfolder2
|-subfolder1
|-.htaccess
|-.htpasswd
|-index.html
|-script.php
.htaccess file:
AuthType Basic
AuthName "Protected Area"
AuthUserFile /users/XYZ/root/subfolder2/.htpasswd
Require valid-user
.htpasswd file:
MrX:$blah1blah2blah3.some.encoded.password
Cleared browser cache and cookies.
Now when I go to http://XYZ.domain.com/subfolder2 the "login" prompt pops up and that's all I needed.
There's no secret or vulnerable data in this folder, I just don't want bots and crawlers to browse it.
Many thanks anyway
stay safe and have a nice pre new years eve time

htpasswd outsite the public html not accessible

On the webserver I use, I have multiple sites (subdomains). Some of these have an admin folder for quick edits for each site. In the admin folder I placed a .htaccess file, restricting access to it.
I have placed a htpasswd file outside the public_html folder(because that's what I read, I should), each password file, in a new directory.
So my folder/file structure so far:
/server/public_html/domain.com
/server/public_html/domain.com/admin/.htaccess
/server/domain_password/.htpasswd
The content of the .htaccess file, inside the admin folder:
#Block_External_Access
AuthType Basic
AuthName 'My Protected Area'
AuthUserFile /server/domain_password/.htpasswd
Require valid-user
The problem is, that in this case I get a big fat 500 server error. Looks like it cannot read the password file after all. If I move my htpasswd down to the domain folder, or the admin folder, and update the htaccess file correspondingly, it works.
Is there any setting somewhere, where prohibits my expected behaviour, or I'm missing something else?
Apparently, because the folder creation was automated, it gave the folder a permission of 600. Which was a bad decision. :D

.htaccess file ineffective at password protecting my xampp directory?

I'm totally new to XAMPP and I'm trying to set up the security for it as best as possible. I understand that it is beneficial to create an .htaccess file to password protect certain directories. There is a page/script that is built into xampp available at http://localhost/security/xamppsecurity.php that will generate one for you in the /htdocs/xampp directory. However, after I've gone and done this, I'm still not prompted for a password when I visit my site at http://localhost/xampp. I thought I should've been prompted for a username and password here? This is a difficult problem to search answers for so I apologize if this has been answered already.
I've made sure to close/re-open my browser and delete all history/cache/cookies. I also restarted the Apache service after creating the htaccess file.
the .htaccess file:
AuthName "xampp user"
AuthType Basic
AuthUserFile "C:\xampp\security\xampp.users"
require valid-user
C:\xampp\security\xampp.users is a valid file and it contains the username I setup and an encrypted password.
Try to copy your .htaccess file to the htdocs directory:
C:\xampp\htdocs\.htaccess
I hope it works ;)
Looks like .htaccess doesn't work on the htdocs\xampp directory.

Password protecting mamp:localhost

I've created a .htpasswd file and .htaccess to password protect my localhost. I have put both in my mamp folder (where my website folders are). I have encrypted the password put in my htaccess :
AuthUserFile /WorkArea/mamp/
AuthType Basic
AuthName "localhost"
Require valid-user
It has locked me out of my localhost by giving me a 500 internal error.
The discussion above fed to this solution:
It is important to understand that .htaccess and .htpasswd files have to be plain text files to work. So the best way to create and manage them is to use a plain text editor. Using some kind of word processor (like OpenOffice-Word or similar) will save additional formatting information into those files. This will lead to the http server not being able to make sense of those files, thus throwing an error.
Also some side note: the .htpasswd file should not be placed alongside the documents pubished by the http server. This is a high security risk. So .htaccess and .htpasswd style files must be stored at completely separate locations, the first within, the second outside the area of the documents.

Password protecting and only allowing one IP address to access a directory?

I have a directory on my website that I need to make sure no one but myself can get into. From the reading I've done, it looks like there are two ways to protect a directory:
Password protect the directory using the .htaccess file
Deny access to all IP addresses but my own from accessing the directory, also using the .htaccess file
I need to protect the files in the directory as securely as possible, so I figured I'd use both of those methods for double protection.
Question 1: Am I missing anything? (i.e. is there another layer of protection I can add?)
Question 2: What would I need to put in a .htaccess file to get the above to work?
Your .htaccess file would contain:
AuthUserFile /usr/local/nate/safe_place/.htpasswd
AuthGroupFile /dev/null
AuthName "Protected Files"
AuthType Basic
require user nate
order deny, allow
deny from all
allow from 127.0.0.1
The .htaccess file goes in the directory you're trying to protect.
You also need a .htpasswd file (shown above as /usr/local/nate/safe_place/.htpasswd) which contains the text username:password_hash. So if we use "nate" as an example and "secret" as the password (please don't use that) you get:
nate:XmN6pwFyy3Il2
You can use this tool to generate your own password file: http://www.tools.dynamicdrive.com/password/
Just make sure that no one can read your .htpasswd file. Also note that basic authentication does no encryption by itself. If you're on an open network, anyone can see your password and all the secret data going over the network. Make sure you visit your site via https if it's really that secret.
You can read more about .htaccess files here:
http://www.javascriptkit.com/howto/htaccess.shtml
Assuming you're running Apache and have an AllowOverride directive permitting .htaccess files to use <Limit>, the following should be a good starting place for you:
<Limit GET>
Order deny,allow
Deny from all
Allow from IP_ADDRESS_HERE
</Limit>
More documentation on <Limit>: http://httpd.apache.org/docs/current/mod/core.html#limit
and for access control: http://httpd.apache.org/docs/2.2/howto/access.html