I hanv a htaccess file I block directories by
Options -Indexes
but I would like to allow admin directory. above code block admin directory too.
Second thing is some of hacker get all directory name of our site by search engine. if I disallow search engine for all secure directories in robots.txt file then hacker can read directories from robots.txt.
If I block .txt extention by
<FilesMatch "\.(htaccess|htpasswd|ini|txt|log|sh|inc|bak)$">
Order Allow,Deny
Deny from all
this htaccess code can search engine read my robots.txt file for other directories?
conclusion:
I would like to disallow all directories but allow admin directory. and also like to block secure directory from search engine.
I got answer for allow directory but second question not confirm that google can read or not.
You will need to password protect your /admin folder and turn on indexes in that folder. Add your protected files inside that folder. Google nor anyone else will be able to read them without the password you made and stored in .htpass.
For example /admin/.htaccess
AuthUserFile /var/www/vhosts/example.com/httpdocs/.htpass
AuthType Basic
AuthName "Administration"
require valid-user
Options +Indexes
Read more about Apache Module mod_authn_file
Related
I am trying to lock a folder on my site with htaccess file
I created a htaccess file in the root and I created a htpasswd file inside the folder I want to lock
But the problem is that it does not work and I am banned from entering the entire site until I delete the "Require valid-user" from the .htaccess file in order to allow me to enter the site.
htaccess file
ErrorDocument 404 /404.html
#Protect Directory
AuthName "Dialog prompt"
AuthType Basic
AuthUserFile /fares/.htpasswd
Require valid-user
htpasswd file
fares:djefaflia
It does not work on the local server or on the hosting
AuthUserFile /fares/.htpasswd
The file-path provided to AuthUserFile should be an absolute filesystem path, not a root-relative URL-path (ie. relative to the document root) which is what this looks like.
The "absolute filesystem path" is the full file-path to the .htpasswd file on the server. For example, if the server path to your document root directory (where your HTML files are located) is /home/user/public_html and you are wanting to protect the directory /fares within your document root and you are storing the .htpasswd file inside that directory (although that is not recommended - see below) then the AuthUserFile directive should be like the following instead:
AuthUserFile /home/user/public_html/fares/.htpasswd
However, you should avoid storing the password file in the same directory you are protecting (for security reasons). Ideally, this file would be stored outside of the document root (ie. outside of the public HTML space). For example, you could mirror the file structure in a htpasswds directory above the document root in which you store all the relevant .htpasswd files on your system:
AuthUserFile /home/user/htpasswds/fares/.htpasswd
fares:djefaflia
As written, this does not "look" correct (unless you are intentionally trying to store plain text passwords - which won't work on Linux). How are you generating the password file? You should be using a tool like htpasswd.exe (that comes with Apache), or something similar that generates a hash of the password. For example, it should look more like this:
fares:$apr1$6Szn.sq3$7E6ZMJLBAZKWX.wmGRISu1
Disclaimer: I have little to no knowledge of Apache, all the information posted here was pieced together from Google search results only, within 1 night.
--
I can't seem to get .htaccess to block only the sub-directories of my domain, could someone please help me?
My root domain: http://domain.com (/home/username/domain/)
The directory I'm trying to block is /home/username/domain/files/
In the /domain/ directory, I have modified the .htaccess file accordingly:
# Password Protect Directories #
AuthName "You shall not pass!"
AuthType Basic
AuthUserFile /home/username/domain/files.htpasswd
require valid-user
# END Password Protect Directories #
The problem is, this seems to password protect my root directory as well as the sub-directory specified.
--
I've tried moving this .htaccess file entry into a separate .htaccess file in the /domain/files/ directory, but then this doesn't work at all, nothing is password protected.
I'm not quite sure what I'm supposed to be doing here, I've read dozens of tutorials online, but none seem to help me beyond password protecting my entire root directory.
--
Can someone please explain to me how I can block multiple sub-directories only?
/domain/files/
/domain/software/
/domain/pictures/
etc...
Thanks!
--
Alternately, if anyone knows a better way to accomplish this, feel free to let me know.
There really is nothing to the authentication. You need to put the code in the .htaccess file in the sub-directory you want to protect. Also I would not put my password file in a publicly accessible location. Put it outside the root like in your home folder. So this code should go in your files folder.
# Password Protect Directories #
AuthName "You shall not pass!"
AuthType Basic
AuthUserFile /home/username/.htpasswd
require valid-user
# END Password Protect Directories #
Make sure apache can read your .htpasswd file and the correct ownership and permissions. Also try and clear your browser cache to test. I've seen that many times that it appears to not work until I clear the cache and then I get the prompt.
i have almost 20 pages on server, but i want only a file named abc.php, which users can watch. i want if user forcefully open the other files like //example.com/some.php .htaccess shows 403 error.
<Files ~ "^(?!(changepwd|login|register|remind|securitycode|registersuggest)\.php$).*(\.php)$">
AuthName "Reserved Area"
AuthType Basic
AuthUserFile path_to/.htpasswd
AuthGroupFile path_to/.htgroup
Order Deny,allow
Require group allowed_groups
</Files>
this is the way i am currently using, but i think there can be more elegant solutions.
This .htaccess-file will only allow users to open index.php. Attempts to access any other files will result in a 403-error.
Order deny,allow
Deny from all
<Files "index.php">
Allow from all
</Files>
If you also want to use authentication for some of the files, you may simply add the content from your current file at the end of my example.
Its safest to move the files you don't want the users to access to a directory which is not in the root directory of the web server.
Like if the root directory of my site is this:
/var/www/html/my_web_site/public/index.php
I can put the non-public files in another directory like this:
/var/www/html/my_web_site/config.php
/var/www/html/my_web_site/auth.php
/var/www/html/my_web_site/db.php
And include the files like this in index.php:
include("../config.php");
include("../auth.php");
include("../db.php");
Whit this, you don't have to risk to accidentally delete or forget to copy the .htaccess file.
I have a directory on my website that I need to make sure no one but myself can get into. From the reading I've done, it looks like there are two ways to protect a directory:
Password protect the directory using the .htaccess file
Deny access to all IP addresses but my own from accessing the directory, also using the .htaccess file
I need to protect the files in the directory as securely as possible, so I figured I'd use both of those methods for double protection.
Question 1: Am I missing anything? (i.e. is there another layer of protection I can add?)
Question 2: What would I need to put in a .htaccess file to get the above to work?
Your .htaccess file would contain:
AuthUserFile /usr/local/nate/safe_place/.htpasswd
AuthGroupFile /dev/null
AuthName "Protected Files"
AuthType Basic
require user nate
order deny, allow
deny from all
allow from 127.0.0.1
The .htaccess file goes in the directory you're trying to protect.
You also need a .htpasswd file (shown above as /usr/local/nate/safe_place/.htpasswd) which contains the text username:password_hash. So if we use "nate" as an example and "secret" as the password (please don't use that) you get:
nate:XmN6pwFyy3Il2
You can use this tool to generate your own password file: http://www.tools.dynamicdrive.com/password/
Just make sure that no one can read your .htpasswd file. Also note that basic authentication does no encryption by itself. If you're on an open network, anyone can see your password and all the secret data going over the network. Make sure you visit your site via https if it's really that secret.
You can read more about .htaccess files here:
http://www.javascriptkit.com/howto/htaccess.shtml
Assuming you're running Apache and have an AllowOverride directive permitting .htaccess files to use <Limit>, the following should be a good starting place for you:
<Limit GET>
Order deny,allow
Deny from all
Allow from IP_ADDRESS_HERE
</Limit>
More documentation on <Limit>: http://httpd.apache.org/docs/current/mod/core.html#limit
and for access control: http://httpd.apache.org/docs/2.2/howto/access.html
I have a directory on my webserver. It does not have an index page. so when u access the directory via a web browser it lists the files in it. Now i want to create a htaccess file that can block the directory listing so that when you access it via the web browser, the files in the directory would not be listed but would be able to access the files by appending the name of the file you wish to access to the url making it a full part to the file. Also the htaccess file should be able to restrict access from all but files with a particular extention. Thanks.
Options -Indexes
Order allow,deny
Deny from all
<Files "*.gif">
Allow from all
Deny from none
</Files>
You can turn off the file listing for a particular directory in the directory's .htaccess with
Options -Indexes
OR
You could just put an empty index.html file in the directory you want to protect.
In the .htaccess file in your directory just put
Options -Indexes
As stated before.
Edited to remove the wrong htaccess setting. Again sorry