I have several sub-domains all pointing to same directory in webroot. I want to passsword protect all sub-domains using .htaccess.
AuthUserFile /etc/httpd/passwd/.htpasswd
AuthType Basic
AuthName "Yet to release"
Require valid-user
When this snippet is put in .htaccess it doesn't work, but it works fine when I put this in each of the virtual host setup for each sub-domain.
I don't want to put this for all sub-domains and then remove later. Is there a way to protect all sub-domains at one go.
Thanks
The directory you are placing this .htaccess file in might not have Options and AllowOverride privledges set...
Place your .htaccess file into the directory that is root to all your subdomain DocumentRoot directories.
Then edit your httpd.conf file:
<Directory "/path/to/that/.htaccess/directory">
Options All
AllowOverride All
order allow,deny
allow from all
</Directory>
Retart Apache.
Related
So I am trying to run just a basic demonstration website using apache. I'm very new to the whole schema of how it works so I'm just testing basic authentication using both .htaccess and .htpasswrd to see if it will actually prompt. So far it has not. My current directory for my site on my pc (Centos 7) is /var/www/html/index.html is where my site is. and my conf files are located in /etc/httpd/(sites-available)/(sites-enabled) to where both files have this configuration :
#Basic Appache Config file for Demo site
Listen 127.0.0.1:80
<VirtualHost 127.0.0.1:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html/
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride ALL
Require all granted
</Directory>
</VirtualHost>
I figured this using .htaccess would yield the result I wanted.. and have also tried to do this method:
<Directory "/var/www/your_domain">
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
</Directory>
</VirtualHost>
Neither of these has prompted my website for authentication whenever I go on firefox/chrome and go to local host. I have reset appache (httpd), multiple times, as well as disabled and re-enabled it to see if it was just that but also no luck. Any other recommendations I could try here? Or is it an error of syntax/httpd? Thanks to anyone with advice!
is there anyway to defy .htaccess? I mean to break what the rule written in the .htaccess file.
I have a directory, and I don't want others to browse it. So I created .htaccess file and wrote this
Deny from all
Is there anyway people can break it?
Nope this is radical. Nobody can access it. It is safe and commonly used. The deny is made server side, so nobody can try to bypass it.
.htaccess files are as secure as Apache allows you to.
See for example, assuming your .htaccess file is located in /var/www/foo:
<Directory />
Allow From All
AllowOverride All # allow .htaccess files globally
</Directory>
<VirtualHost *:80>
ServerName www.foo.com
DocumentRoot /var/www/foo # impossible to access, thanks to .htaccess
</VirtualHost>
<VirtualHost *:80>
ServerName www.bar.com
DocumentRoot /var/www/foo # same directory as above
<Directory /var/www/foo>
AllowOverride None # woops .htaccess will not be read, files can be accessed from this vhost
</Directory>
</VirtualHost>
Therefore there is no guarantee ever that your files are securely protected, as long as you don't know (and don't understand) how your apache installation is configured.
I've got a file accessible through my web website by typing http://www.mywebsite.com/myfile and the server run on debian.
I'd like to put an authentication with a .htaccess and .htpasswd when trying to access to previous url.
I'm quite new to .htaccess and I tried to configure it with the doc but it doesn't seems to work since when i try nothing change and when i check the error log I've got :
[error] [client IP] client denied by server configuration:
/home/file1/myfile/www/.htaccess
The content of my .htaccess is :
<Directory /home/file1/myfile/www/>
AuthUserFile /home/file1/myfile/.htpasswd
AuthGroupFile /dev/null
AuthName "My authentication"
AuthType Basic
Require valid-user
Otions Indexes FollowSymLinks Multiviews
AllowOverride All
Order allow,deny
allow from all
Redirect permanent /.htaccess http://www.mywebsite.com/myfile
ServerSignature Off
</Directory>
How may I solve this problem please ?
You can't use a <Directory> container in an htaccess file. Remove them so you just have:
AuthUserFile /home/file1/myfile/.htpasswd
AuthGroupFile /dev/null
AuthName "My authentication"
AuthType Basic
Require valid-user
Options Indexes FollowSymLinks Multiviews
AllowOverride All
Order deny,allow
deny from all
Redirect permanent /.htaccess http://www.mywebsite.com/myfile
ServerSignature Off
(you have Otions mispelled)
Also, by looking at your error, it looks as if you were trying to access the htaccess file directly, instead of myfile. It's possible there's extra configuration on the server to deny accessing htaccess files (or all files that start with a .).
It seems that deleting et creating again the user is enough to fix the FTP connexion problem.
I've modified my global apache configuration with the following :
DirectoryIndex index.html index.htm index.xhtml index.php index.txt
ServerName debian.domain.tld
#ServerName localhost
HostnameLookups Off
ServerAdmin myadressemail
UserDir www
UserDir disable root
<Directory />
Options -Indexes FollowSymLinks
AllowOverride All
</Directory>
ServerSignature Off
An now my .htaccess is :
AuthUserFile /home/file1/myfile/.htpasswd
AuthGroupFile /dev/null
AuthName "My authentification"
AuthType Basic
Require user user1
But I still have got no authentication asked, what did I do wrong ?
I am having trouble understanding how I can get to edit files on a WebDAV setup. I have set up the Auth correctly, as verified by loads of online tutorials, yet there are some files like .htaccess which I can't edit.
The contents of the VirtualHost setup are
<VirtualHost *:80>
ServerAdmin xxx
ServerName xxx
DocumentRoot /data/www/vhosts/xxx
<Directory /data/www/vhosts/xxx>
Options Indexes MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
<Location />
DAV On
AuthType Basic
AuthName "WebDAV Access"
AuthUserFile /data/www/.htpasswd-webdav
Require valid-user
</Location>
</VirtualHost>
I've generated the correct username in the file too, and I can log in successfully and see all the files. Like I say, the problem is that certain files are unreadable and unwritable, the main culprits being .htaccess and .gitignore.
I have set the permissions on all files to 664 and all folders to 775 and a user:group of xxx:www-data. The reason being that this allows PHP to read/write the files ok, and our remote login user xxx to do the same without permissions issues.
Is there something specific I need to do to allow reading writing to these hidden dot files? I'm completely stumped, as most tutorials I've read are telling me that if I don't set the rights on dot files to root:root then they will be writable. I am using a Mac to connect to the WebDAV service, which runs on Ubuntu, if this makes any difference
Just for clarity, all of the xxx in this question is to hide info.
So it seems that I can allow access to specific files using the below
<Files .htaccess>
order allow,deny
deny from all
</Files>
I forgot that .htaccess files are blocked over HTTP by default.
EDIT:
The final working setup, to make all files writeable in the webdav environment, with Digest secure authentication is:
<VirtualHost *:80>
ServerAdmin xxx
ServerName www.domain.name
DocumentRoot xxx
<Directory xxx>
Options Indexes MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
<FilesMatch "\.(htaccess|php)$">
Order allow,deny
allow from all
ForceType text/plain
</FilesMatch>
<Location />
DAV On
AuthType Digest
AuthName "Webdav Access"
AuthDigestDomain / http://www.domain.name/
AuthDigestProvider file
AuthUserFile /data/www/digest.users
Require valid-user
php_value engine off
</Location>
</VirtualHost>
I hope this helps someone else. It took days to find all this info out on the web.
Also check the permissions of /data/www/ itself. It should be writable for the apache user.
I was wondering if it was possible to setup a conditional http basic auth requirement based on the virtual host URL in an .htaccess file.
For example what I want to do is have mysite.com and test.mysite.com run off the same code base in the same directory but password protect test.mysite.com. It would be setup this way so that I wouldn't need to branch my code since my app code can see which vhost/url it's being served from and pick the database to serve content from.
You can sort of kludge this by using mod_setenvif along with the mod_auth modules. Use the SetEnvIfNoCase directive to set which host is password protected. You'll need a couple of extra directives to satisfy access:
# Check for the hostname here
SetEnvIfNoCase HOST ^test\.mysite\.com\.?(:80)?$ PROTECTED_HOST
Then inside the Directory block (or just out in the open) you have your auth stuff setup, something like this:
AuthUserFile /var/www/test.mysite.com/htpasswd
AuthType Basic
AuthName "Password Protected"
Now for the require/satisfy stuff:
Order Deny,Allow
Satisfy any
Deny from all
Require valid-user
Allow from env=!PROTECTED_HOST
This will make it so any host that doesn't match ^test\.mysite\.com\.?(:80)?$ will have access without need for auth (Allow from env=!PROTECTED_HOST) but otherwise, we need a valid user (Require valid-user). The Satisfy any ensures that we just need one of the 2, either the Allow or Require.
I had problems implementing Jon's solution:
Although I am quite familiar with Apache conf and regular expressions, the authentication always fired. From a quick analyzes it looked like the Allow from env=!PROTECTED_HOST line did not kick in.
But I found another solution that actually looks safer to me:
I created two virtual hosts for the two domains pointing to the same document root (which is fully allowed by the way). In one of the vhosts I added the directives for basic auth (directly into the vhost directive block).
Works like a charm. And I have a better feeling that this is really safe - no risk to overlook any details in the regex pattern that would open up the gates for intruders.
<VirtualHost *:80>
ServerName www.mysite.com
DocumentRoot "/path/to/common/doc/root"
<Directory "/path/to/common/doc/root">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName protected.mysite.com
DocumentRoot "/path/to/common/doc/root"
<Directory "/path/to/common/doc/root">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
AuthUserFile /path/to/htpasswd
AuthName "Password please"
AuthType Basic
Require valid-user
</Directory>
</VirtualHost>
Here's a solution similar to what Jon Lin proposed, but using RewriteCond to check the host name:
RewriteEngine On
RewriteCond %{HTTP_HOST} =protected.hostname.com
RewriteRule ^.*$ - [E=DENY:1]
AuthUserFile /path/to/htpasswd
AuthName "Password please"
AuthType Basic
Order Deny,Allow
Satisfy any
Deny from all
Require valid-user
Allow from env=!DENY