I need to restrict access to all files stored in /sites/default/files/pdf/ on my Apache webserver. I have tried following FilesMatch expression, but that does not work.
<FilesMatch "sites/default/files/pdf">
AuthName "myauth"
AuthBasicProvider ldap
AuthType Basic
AuthLDAPURL ....
AuthLDAPBindDN ....
AuthLDAPBindPassword ...
Require valid-user
</FilesMatch>
Even matching for specific filename does not work (<FilesMatch "sites/default/files/pdf/myfile\.pdf">). Am I missing something?
try the Directory tag (or the Location tag if it is the URL and not the file path). You can check out the Apache docs, but Directory tag is for referencing the file system whereas Location is for the URL. There are differences, in cases where multiple URLS/symlinks can point to same directory, but syntax and basic function is the same. Don't forget the Allow/deny
<Directory /sites/default/files/pdf>
Order Deny, Allow
Deny from all
AuthName "myauth"
AuthBasicProvider ldap
AuthType Basic
AuthLDAPURL ....
AuthLDAPBindDN ....
AuthLDAPBindPassword ...
Require valid-user
</Directory>
OR
<Location /sites/default/files/pdf>
Order Deny, Allow
Deny from all
AuthName "myauth"
AuthBasicProvider ldap
AuthType Basic
AuthLDAPURL ....
AuthLDAPBindDN ....
AuthLDAPBindPassword ...
Require valid-user
</Location>
Related
I run a testsystem with a htaccess basic auth:
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /var/www/html/.htpasswd
Require valid-user
I now want to disable this auth for all user who target the /api and /api/orders etc. of this server. I tried it with this:
SetEnvIf Request_URI "/api(.*)$" api_uri
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /var/www/html/.htpasswd
Require valid-user
Deny from all
Allow from env=api_uri
Satisfy any
But this does not work - mod_setenvif is enabled. Does anybody have an idea why this is not working?
Thanks!
Have it this way:
SetEnvIf Request_URI /api api_uri
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /var/www/html/.htpasswd
Require valid-user
Satisfy any
Order deny,allow
Deny from all
Allow from env=api_uri
I normally just add a separate .htaccess file inside the api folder:
Satisfy any
I have a url www.mywebsite.com/admin and I want to password protect it using this
AuthType Basic
AuthName "Restricted Files"
# (Following line optional)
AuthBasicProvider file
AuthUserFile /usr/local/apache/passwd/passwords
Require user SomeUsername
However, the site is using a custom framework so /admin gets passed through index.php, so there isn't actually an admin folder so I can't put it in a .htaccess file in it. How can I protect that url using the above code?
You can combine mod_setenvif with mod_auth like this:
SetEnvIfNoCase Request_URI /admin SECURED
AuthType Basic
AuthName "Restricted Files"
AuthBasicProvider file
AuthUserFile /usr/local/apache/passwd/passwords
Require user SomeUsername
Order allow,deny
Allow from all
Deny from env=SECURED
Satisfy any
I have a files server and I use mod_autoindex to server the files. I have a username and password in htaccess so only certain people can access the files. I have added another user to htpasswd but I would only like that user to access some of the files/folders.
Here is my htaccess file now:
AuthType Basic
AuthName "restricted"
AuthUserFile E:\\path\\to\\.htpasswd
<Files "filesForAnyUser\\*">
Require valid-user
</Files>
<Files "*">
Require user admin
</Files>
I'm sure I am doing something wrong but I can't find any good documentation on this.
If you have a folder called "filesForAnyUser" and a folder where you have files only for admin, you need to make 2 htaccess files. One in "filesForAnyUser":
AuthType Basic
AuthName "restricted"
AuthUserFile E:\\path\\to\\.htpasswd
Require valid-user
And one in the other directory:
AuthType Basic
AuthName "restricted"
AuthUserFile E:\\path\\to\\.htpasswd
Require user admin
So here is my final solution for anyone else.
Put the following in the root folder:
AuthType Basic
AuthName "restricted"
AuthUserFile E:\\path\\to\\.htpasswd
Require user admin
Put the following in any folder where admin and user1 can access the file:
AuthType Basic
AuthName "restricted"
AuthUserFile E:\\path\\to\\.htpasswd
Require user admin user1 #users separated by space or "Require valid-user" if all users
If you want to allow user1 to only access certain files you can use <FilesMatch>:
AuthType Basic
AuthName "restricted"
AuthUserFile E:\\path\\to\\.htpasswd
Require user admin
<FilesMatch "^(doc1.pdf|doc2.txt|doc3.docx)$">
Require user admin user1 #or valid-user
</FilesMatch>
This gives admin access to all files in that folder but user1 only access to the files listed in <FilesMatch>
Note: The files in <FilesMatch> are for the current directory and any sub directory. I'm not sure how to limit it to only the current directory.
I have several Mercurial repositories published using hgweb and secured with Apache 2.2
Is there any way to have multiple security configurations?
I'd like to have a default configuration for most repositories, and then separate configurations for specific repositories.
The httpd.conf file looks like this
WSGIScriptAlias /hg "C:/hg/hgweb/hgweb.wsgi"
<Directory "/hg/repo_one">
Order deny,allow
AuthType Basic
AuthName "R1 Secure Area"
AuthBasicProvider file
AuthUserFile c:/apache2.2/repo_one.pwd
Require valid-user
</Directory>
<Directory "/hg">
Order deny,allow
AuthType Basic
AuthName "Secure Area"
AuthBasicProvider file
AuthUserFile c:/apache2.2/passwords
Require valid-user
</Directory>
Here's what I did to get this working.
I moved the repository that needed separate security into its own directory that was a siblng, not a child, and made a copy of the hgweb.wsgi.
My directory structure now looks like this
c:\hg-pub\hgweb.wsgi
c:\hg-pub\hgweb.config
c:\hg-pub\repo-one\.hg
...
c:\hg\hgweb.wsgi
c:\hg\hgweb.config
c:\hg\repo-two\.hg
c:\hg\repo-three\.hg
And my httpd.conf file looks like this
WSGIScriptAlias /hg "C:/hg/hgweb.wsgi"
WSGIScriptAlias /pub/hg "C:/hg-pub/hgweb.wsgi"
<Directory "C:/hg-pub">
Order deny,allow
AuthType Basic
AuthName "R1 Secure Area"
AuthBasicProvider file
AuthUserFile c:/apache2.2/repo_one.pwd
Require valid-user
</Directory>
<Directory "C:/hg">
Order deny,allow
AuthType Basic
AuthName "Secure Area"
AuthBasicProvider file
AuthUserFile c:/apache2.2/passwords
Require valid-user
</Directory>
The important things to note are
The two repository locations are completely separate on disk
The two WSGIScriptAlias paths are completely independent
I have a new website I'm working on that the client wants to keep a secret, but at the same time, I want to put an under construction page with some info on it. I would like to have everything except index.html require a user/password--index.html would be available to everyone.
I have the following, but I'm not sure what I need to add:
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /path/to/file/.htpasswd
AuthGroupFile /dev/null
require valid-user
There are too many files and possibly new files to say "for this set of files require a user/password".
I think it has something to do with something similar to:
<Files index.html>
order deny,allow
allow from all
</Files>
But I'm not exactly sure how.
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /path/to/file/.htpasswd
AuthGroupFile /dev/null
<Files "*">
Require valid-user
</Files>
<Files "index.html">
Allow from all
Satisfy any
</Files>
I used empi response almost exactly, but I realized that I'm loading a logo and reset-min.css on the under construction page, so I modified it like the following:
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /home/examplecom/example.com/html/.htpasswd
AuthGroupFile /dev/null
<Files "*">
Require valid-user
</Files>
<FilesMatch "(index\.html|reset-min\.css|logo-temp\.gif)$">
Allow from all
Satisfy any
</FilesMatch>
have you tried reversing the order to first allow, then deny?
For further reading: apache htaccess directive are a good reference.