Password protect nested directories with .htaccess - apache

I have multiple directories that look something like this:
root
- directory 1
- directory 2
- directory 3
- sub directory 1
- sub directory 2
- sub directory 3
Root is protected with a .htaccess right now,
What im looking to do is Protect sub directory 1,2, and 3 with different usernames / passwords
Can this be done? If so how?
Right now my .htaccess file that is located in directory 3 looks like this:
AuthUserFile path/path/path/sub directory 1/ .htpasswd
AuthUserFile path/path/path/sub directory 2/ .htpasswd
AuthUserFile path/path/path/sub directory 3/ .htpasswd
AuthName "Please Log In"
AuthType Basic
require valid-user
however it doesnt work...and im getting Internal Error Server

You need a separate htaccess file in each of your subdirectories that point to the specific htpassword file. You can't separate which sub directories use which htpasswd file like you have in your htaccess.
Additionally, don't leave spaces in the page, apache will think you're referring to multiple parameters for a directive.
So in the htaccess file in each subdirectory, try something like:
AuthUserFile .htpasswd
AuthName "Please Log In"
AuthType Basic
require valid-user
but note, it's generally a really really bad idea to leave your password file in the webroot, allowing people to possibly download it.

Related

How do I lock a folder with htaccess file?

I am trying to lock a folder on my site with htaccess file
I created a htaccess file in the root and I created a htpasswd file inside the folder I want to lock
But the problem is that it does not work and I am banned from entering the entire site until I delete the "Require valid-user" from the .htaccess file in order to allow me to enter the site.
htaccess file
ErrorDocument 404 /404.html
#Protect Directory
AuthName "Dialog prompt"
AuthType Basic
AuthUserFile /fares/.htpasswd
Require valid-user
htpasswd file
fares:djefaflia
It does not work on the local server or on the hosting
AuthUserFile /fares/.htpasswd
The file-path provided to AuthUserFile should be an absolute filesystem path, not a root-relative URL-path (ie. relative to the document root) which is what this looks like.
The "absolute filesystem path" is the full file-path to the .htpasswd file on the server. For example, if the server path to your document root directory (where your HTML files are located) is /home/user/public_html and you are wanting to protect the directory /fares within your document root and you are storing the .htpasswd file inside that directory (although that is not recommended - see below) then the AuthUserFile directive should be like the following instead:
AuthUserFile /home/user/public_html/fares/.htpasswd
However, you should avoid storing the password file in the same directory you are protecting (for security reasons). Ideally, this file would be stored outside of the document root (ie. outside of the public HTML space). For example, you could mirror the file structure in a htpasswds directory above the document root in which you store all the relevant .htpasswd files on your system:
AuthUserFile /home/user/htpasswds/fares/.htpasswd
fares:djefaflia
As written, this does not "look" correct (unless you are intentionally trying to store plain text passwords - which won't work on Linux). How are you generating the password file? You should be using a tool like htpasswd.exe (that comes with Apache), or something similar that generates a hash of the password. For example, it should look more like this:
fares:$apr1$6Szn.sq3$7E6ZMJLBAZKWX.wmGRISu1

.htaccess password protection not working with domain on a folder

I have 2 domains mapped to the same server.
- Domain-A is mapped to public_html directory
- Domain-B is mapped to public_html/domainb directory
When I set a .htaccess user/password for directories that I access via the first domain (e.g. domain-a.com/wp-admin) everything works like a charm.
But when I try to set the same for directories that I access from the domain-b, I got a ERR_TOO_MANY_REDIRECTS error.
Below .htaccess code. Note that the very same code works on folders of the domain-a but not on domain-b:
AuthType Basic
AuthName "myuseradmin"
AuthUserFile "/home3/desempac/.htpasswds/public_html/domainb/wp-admin/passwd"
require valid-user
Any thoughts?
change the following line in your code accordingly :
AuthUserFile /path/to/password/file/.htpasswd
Make sure you located the .htpasswd file inside the folder that you want to protect it

htpasswd outsite the public html not accessible

On the webserver I use, I have multiple sites (subdomains). Some of these have an admin folder for quick edits for each site. In the admin folder I placed a .htaccess file, restricting access to it.
I have placed a htpasswd file outside the public_html folder(because that's what I read, I should), each password file, in a new directory.
So my folder/file structure so far:
/server/public_html/domain.com
/server/public_html/domain.com/admin/.htaccess
/server/domain_password/.htpasswd
The content of the .htaccess file, inside the admin folder:
#Block_External_Access
AuthType Basic
AuthName 'My Protected Area'
AuthUserFile /server/domain_password/.htpasswd
Require valid-user
The problem is, that in this case I get a big fat 500 server error. Looks like it cannot read the password file after all. If I move my htpasswd down to the domain folder, or the admin folder, and update the htaccess file correspondingly, it works.
Is there any setting somewhere, where prohibits my expected behaviour, or I'm missing something else?
Apparently, because the folder creation was automated, it gave the folder a permission of 600. Which was a bad decision. :D

htaccess specify directory and robot file

I hanv a htaccess file I block directories by
Options -Indexes
but I would like to allow admin directory. above code block admin directory too.
Second thing is some of hacker get all directory name of our site by search engine. if I disallow search engine for all secure directories in robots.txt file then hacker can read directories from robots.txt.
If I block .txt extention by
<FilesMatch "\.(htaccess|htpasswd|ini|txt|log|sh|inc|bak)$">
Order Allow,Deny
Deny from all
this htaccess code can search engine read my robots.txt file for other directories?
conclusion:
I would like to disallow all directories but allow admin directory. and also like to block secure directory from search engine.
I got answer for allow directory but second question not confirm that google can read or not.
You will need to password protect your /admin folder and turn on indexes in that folder. Add your protected files inside that folder. Google nor anyone else will be able to read them without the password you made and stored in .htpass.
For example /admin/.htaccess
AuthUserFile /var/www/vhosts/example.com/httpdocs/.htpass
AuthType Basic
AuthName "Administration"
require valid-user
Options +Indexes
Read more about Apache Module mod_authn_file

.htaccess and .htpasswd to prevent access to folder problem

I have a website admin area I want to protect with a password..
so inside the admin folder I put an .htaccess and .htpasswd files containing this:
.htaccess:
AuthUserFile C:/wamp/www/website_project/admin/.htpasswd
AuthName "Restricted Area"
AuthType Basic
Require valid-user
.htpasswd: (generated using an online tool)
admin:sOSDxAdJI4xx2
When I go to the admin folder, a popup is shown where I need to insert username and password... so until now its working fine, BUT no matter if I insert a correct password or not I get the same popup again when I hit 'enter', I can never access the folder...
Any suggestions?
Based on the AuthUserFile line, it looks like you're using Apache on Windows, which has a different default password encryption algorithm than other platforms. Try using the htpasswd command-line tool to generate the password and see if you still have the same problem.