I'm trying to use a .htaccess file to block access to a web server directory (including sub directories) unless a user logs in OR the the hosting server is trying to access a file.
To be more clear, the protected directory is a admin directory for a website.
In that directory there are files that are called by the server the site is hosted on, through http.
The server is running Apache 2.2.24.
This is what I have tried so far:
AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /..fakepath../.htpasswd
Require valid-user
Order Deny,Allow
Deny from all
Allow from localhost
Satisfy Any
It works for the user to login but the server can not access files.
I'm thinking that maybe I can not reference to the server as localhost?
Related
I am working in ColdFusion 11 with apache web server in windows hosting I have not more knowledge about basic authenticate and so I have little bit confuse about this
why does basic authentication type store password in
.htpasswd file so
not necessary to store database?
how to redirect request HTTP to https before entering in
password
prompt?
.htaccess file code which is working fine first authenticate completely then this redirect on HTTP to https but I want to set HTTP to https before entering a password here my httpd.config file virtual host code
<VirtualHost 112.192.12.16>
DocumentRoot C:/Apache24/htdocs/enovis53
ServerName test.example.com
ErrorLog logs/enovis-inc.com-error_log
CustomLog logs/enovis-inc.com-access_log common
</VirtualHost>
my .htaccess file code
AuthName "Example CLMS Production (v5.3.0.0)"
AuthType Basic
AuthUserFile "C:\Apache24\htdocs\enovis53\.htpasswd"
require valid-user
if anybody knows this then guide me I don't know this right thing to ask community all suggestion is acceptable thanks in advance
why does basic authentication type store password in .htpasswd file so not necessary to store database?
This is determined by AuthBasicProvider
Syntax: AuthBasicProvider provider-name [provider-name] ...
Default: AuthBasicProvider file
The AuthBasicProvider directive sets which provider is used to authenticate the users for this location. The default file provider is implemented by the mod_authn_file module.
So in your case, no provider is defined, and the default (file) is applied. If you want another provider, e.g. some db, specify dbm, ldap, ...
how to redirect request HTTP to https before entering in password prompt?
Usually, some directive is applied unconditionally, unless restricted somehow. To have the password requested only when HTTPS is active, you may try to enclose the Auth directives or at least the Require inside an If
<If "%{HTTPS} == 'on'">
AuthName "Example CLMS Production (v5.3.0.0)"
AuthType Basic
AuthUserFile "C:\Apache24\htdocs\enovis53\.htpasswd"
require valid-user
</If>
But now, all content is accessible without password, when requested via http://test.example.com. Don't forget to force https!
Unrelated, but note the security warning from AuthUserFile
Security
Make sure that the AuthUserFile is stored outside the document tree of the web-server. Do not put it in the directory that it protects. Otherwise, clients may be able to download the AuthUserFile.
I'm struggling with the htaccess system of apache.
My apache directories are set as follow:
www/ (Protected via /var/www/.htaccess)
www/public/ (Supposed to be unprotected via /var/www/public/.htaccess)
However i still can't access the public folder without the need to log in via my AuthType Basic from my www/.htaccess...
www/.htaccess:
AuthType Basic
AuthName "Acces restreint"
AuthUserFile "/var/www/.htpasswd"
Require valid-user
www/public/.htaccess:
AuthType None
Require All Granted
I really am not an expert in Apache so I may have missed the obvious.
Ok, I just figured out that what I was doing works but using H5AI as browser it needed to access the files.
I simply added a rule in the apache2.conf to prevent him being overwritten by the main directory .htaccess and all worked fine.
I am trying to protect my directory with apache password protection, basically their is a subdirectory named reg in my /var/www folder. now, I have .htaccess in the /var/www/reg folder and the content is
AuthUserFile /var/www/.htpasswd
AuthName "Please Log In"
AuthType Basic
require valid-user
and a .htpasswd file in /var/www folder and the content is
xyz:AFm9t1CfobrkA
but when I try to access the folder typing localhost/reg no pop up box appear asking for username and password. Where am I wrong?
I have .htaccess file like this:
AuthUserFile /data/www/.../http-users
AuthType Basic
AuthName "private"
require user cf
And it works. What you could do:
Detect the possible cause by looking into the error log. In many cases you have access to it even on hosting environments
Make sure AllowOverride AuthConfig is set. You cannot set it in .htaccess, you must do it in the server configuration file. In a hosting environment, you have to ask your hosting provider.
Not very likely, but it could be the dot - try to rename the .htpasswd file to htpasswd
Its definitelly not caused by missing the <directory> container as noted in the discussion
I have a subversion server running with apache. It authenticates users using LDAP in apache configuration and uses SVN authorizations to limit user access to certain repositories. This works perfectly.
Apache
DAV svn
SVNParentPath /srv/svn
SVNListParentPath Off
SVNPathAuthz Off
AuthType Basic
AuthName "Subversion Repository"
AuthBasicProvider ldap
AuthLDAPBindDN # private stuff
AuthLDAPBindPassword # private stuff
AuthLDAPURL # private stuff
Require valid-user
AuthzSVNAccessFile /etc/apache2/dav_svn.authz
Subversion
[groups]
soft = me, and, all, other, developpers
Adding anonymous access from one machine
Now, I have a service I want to setup (rietveld, for code reviews) that needs to have an anonymous access to the repository. As this is a web service, accesses are always done from the same server. Thus I added apache configuration to allow all accesses from this machine. This did not work until I add an additional line in the authorization file to allow read access to all users.
Apache
<Limit GET PROPFIND OPTIONS REPORT>
Order allow,deny
Allow from # private IP address
Satisfy Any
</Limit>
Subversion
[Software:/]
#soft = rw
* = r # <-- This is the added line
For instance, before I add the authorization from a specific IP, all users were authenticated, and thus had a name. Now, some accesses are done without a user name! I found the - user name in the apache log files, but the line - = r does not work, neither do anonymous = r. I'd like not to allow read access to everyone in SVN authorization. How can I do this?
Try putting this in your authz file:
[Software:/]
#soft = rw
$anonymous=r
Say I have a htaccess file shared by "dev.server" and "server.site.com".
The first domain should allow all users to access it unchallenged (it only exists on my local development server).
The second domain I want to authenticate users with Apache (NOT by database).
The code to authenticate users is:
AuthType Basic
AuthName "Server Admin"
AuthUserFile "/path/to/passwd"
require valid-user
What I can't do is make those 4 lines only matter if the domain is "server.site.com". How can I do this?
I searched for something like <IfEnv HTTP_HOST "site.server.com"> but had no luck.
This appears to work, still need to do some testing on it though.
Order Deny,Allow
Deny from all
SetEnvIf Host domain.for.no.auth dev
Allow from env=dev
AuthUserFile .pwd
AuthType Basic
AuthName MySite
Require valid-user
Satisfy Any
As far as I know, this can't be done in a .htaccess file. You'd have to put this into a Directory or VirtualHost section, both of which can't be used in a .htaccess file.
You would have to define it in two separate files, or directly in the server's configuration in the VirtualHost section.