0

A user enters my website and arrives at the home page, he/she should always and only be at home page. All other files are scripts that are run by the homepage but the user should never navigate to them. So here's my directory layout:
Directory

They will arrive at Front.php and should always stay at Front. So I created an htaccess file that has this code:

DirectoryIndex Front.php index.html
AuthType Basic
AuthName "Login"
AuthUserFile /disks/*/*/*/.htpasswd
Require valid-user

Right now, EVERYTHING requires authentication. But I want everything except Front.php to require authentication. How can I exclude Front.php from the authentication?

Also, will this authentication prevent the scripts from running or does it just prevent the user from navigating TO the file via url?

Charlie Yabben
  • 307
  • 2
  • 7
  • 13

4 Answers4

2

Right now, EVERYTHING requires authentication. But I want everything except Front.php to require authentication. How can I exclude Front.php from the authentication?

Try:

SetEnvIfNoCase Request_URI ^/Front.php norequire_auth=true

# Auth stuff
AuthType Basic
AuthName "Login"
AuthUserFile /disks/*/*/*/.htpasswd

# Setup a deny/allow
Order Deny,Allow
# Deny from everyone
Deny from all
# except if either of these are satisfied
Satisfy any
# 1. a valid authenticated user
Require valid-user
# or 2. the "require_auth" var is set
Allow from env=norequire_auth

This uses the Satisfy directive and sets it to any, meaning either the Require valid-user or the Allow is good enough. The variable norequire_auth only gets set when the URI is /Front.php. You can add additional whitelisted URI's if you want by including additional SetEnvIfNoCase directives.

Also, will this authentication prevent the scripts from running or does it just prevent the user from navigating TO the file via url?

It won't prevent the scripts from running, if you include them via a include or require. But if you directly link to them from Front.php's HTML content, the login dialog will pop up for Front.php.

Jon Lin
  • 142,182
  • 29
  • 220
  • 220
  • You are wise in the ways of access! – Kato Oct 12 '12 at 19:25
  • @JonLin So this is what my htaccess file looks like now: [htaccess](http://pastie.org/5046709). But when I navigate to `www.domain.com/Folder/Front.php` it stills requires authentication. Any ideas why? – Charlie Yabben Oct 12 '12 at 19:28
  • @CharlieYabben well, if `/Folder/Front.php` is the one you want to exclude, then you need to put that in `SetEnvIfNoCase`'s regular expression. i.e. `^/Folder/Front.php` – Jon Lin Oct 12 '12 at 19:29
  • @JonLin Oh so does this go in the root directory? The directory image I'm showing in my post is just 1 folder in a larger directory, it is `www.domain.com/Folder` – Charlie Yabben Oct 12 '12 at 19:31
  • @CharlieYabben No, the htaccess file goes into the directory you want to protect, but the `Request_URI` is going to be everything after the hostname in the URL, so everything after `http://www.domain.com` – Jon Lin Oct 12 '12 at 19:33
  • @JonLin okay good, so here's my updated [htaccess](http://pastie.org/5046709) but it's the same problem as before. When i try to navigate to the page, `www.domain.com/Folder/Front.php` it still wants authentication – Charlie Yabben Oct 12 '12 at 19:35
  • @CharlieYabben ***`Allow from env=norequire_auths`***, is that "s" supposed to be there or is it a typo? – Jon Lin Oct 12 '12 at 19:36
  • let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/17954/discussion-between-charlie-yabben-and-jon-lin) – Charlie Yabben Oct 12 '12 at 19:40
1

You say you don't want to be able to enter other scripts, but you add authentication to it.

If you don't want to execute those scripts directly, it's better to move them out of the public_html folder, so they cannot be reached from outside at all. You will still be able to include/require them in front.php.

Admin scripts can easily be moved to a subdirectory on which you can add authentication from .htaccess. If you want to add authentication to some files, but not all, you can also choose to send the required headers from the PHP scripts.

You often see a check like this at the start of a file:

defined('MYAPPDEFINE') || die('No direct access allowed');

In the entry page (index.php, front.php, whatever), you can add this line:

define('MYAPPDEFINE', 'Whatever value');

This way, every file that is called directly will die and terminate immediately, but when it is included from front.php, the check succeeds and the file is included.

GolezTrol
  • 114,394
  • 18
  • 182
  • 210
  • Just trying to wrap my head around this. So if I add authentication to a file, such as Insert.php. Then when Front.php calls it, will it not respond if you don't have authentication? – Charlie Yabben Oct 12 '12 at 19:24
  • +1 for pointing out the obvious: organization is worth a thousand lines of code! @CharlieYabben What does "calls it" mean? If they are included or required, they will not require authentication. But if they are in an .htaccess protected directory, and visited via HTTP they would trigger a login request. – Kato Oct 12 '12 at 19:28
  • Yes it will, but you could do that for file that are entry files for admin pages. Pages that are not entries at all should not be able to be called directly. Preferably move them up a directory so they cannot be reached through an uri, and/or just let them `die` (added an extra paragraph to the answer about that). – GolezTrol Oct 12 '12 at 19:31
0

Use this ruleset:

<Filesmatch "^((?!Front\.php).)*$">
AuthType Basic
AuthName "Login"
AuthUserFile /disks/*/*/*/.htpasswd
Require valid-user
</Filesmatch>

<Files "Front.php">
allow from all
</Files>
raidenace
  • 12,789
  • 1
  • 32
  • 35
  • Append it to the existing .htaccess file (put it at the bottom)? Tried that it still wants authentication to access Front.php – Charlie Yabben Oct 12 '12 at 19:12
  • @CharlieYabben: I have updated my answer. You need to specify the password rule for all files **other than** Front.php. Check my updated answer. – raidenace Oct 12 '12 at 19:31
  • @CharlieYabben: Strange because it works for me. Front.php runs without auth and for every other file it asks me for a username/password.. – raidenace Oct 12 '12 at 20:05
  • is there something I should put before/after this? I'm running on an apache server so any settings I have to enable? – Charlie Yabben Oct 12 '12 at 20:49
  • check if httpd.conf allows .htaccess overrides. Also, did you say that right now ALL files are being password protected? – raidenace Oct 12 '12 at 20:52
  • I cant actually check that...i'm just creating a website for an organization and I don't have admin access to their webserver. But this is what my htaccess file looks like now: [pastie](http://pastie.org/5047669). And yes everything is protected. I can't access a single thing (files, folders) without the auth – Charlie Yabben Oct 12 '12 at 21:01
  • let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/17957/discussion-between-charlie-yabben-and-raidenace) – Charlie Yabben Oct 12 '12 at 21:03
0

Use this .htaccess content to prevent people from requesting anything but front.php:

RewriteEngine On

RewriteCond %{THE_REQUEST} !front.php [NC]
RewriteRule .* - [F,L]

Now only fron.php will be available to anyone accessing your apache.

BTW - as far as I know - you can force Apache to authenticate anything in particular directory but not not single files.

Artur
  • 7,038
  • 2
  • 25
  • 39
  • for some reason this is blocking access to all files including Front.php. Did you mean to say `RewriteCond %{REQUEST_URI} !Front.php [NC]`? – Charlie Yabben Oct 12 '12 at 19:47
  • @Charlie: Actually [NC] flag says NoCase which means that access will be forbidden to any files but FRONT.PHP, FrONT.pHP etc regardless of case. I've checked these lines and they are working fine. If not working for you - block your other rule creating .htaccess with only these 3 lines first for tests. – Artur Oct 13 '12 at 09:20