1

In my CakePHP app, I have a directory of files which I want to allow direct access to with a username/password. For reasons that are overly complicated, placing the directory inside the /webroot folder is not an option. My folder is located here:

/app/parent_folder/folder_full_of_files

So I want to be able to access files directly like this:

http://mysite.com/app/parent_folder/folder_full_of_files/some_file.pdf

I think I need to modify the .htaccess file in the root, and also add another .htaccess file and .htpasswd file in the folder_full_of_files

I have already found this post which asks a similar question... but I can't translate it to my application.

  1. How do I need to modify the root .htaccess file?

  2. What should be in the new .htaccess file. Here's what I've tried, but just results in 500 error...

     AuthType Basic
 AuthName "restricted area"
 AuthUserFile /bla/bla/mysite/app/parent_folder/folder_full_of_files/.htpasswd
 require valid-user

  3. What is the correct way to encrypt the password in the .htaccess file?

Community
  • 1
  • 1
emersonthis
  • 32,822
  • 59
  • 210
  • 375

2 Answers2

1

I got this to work. I had to do a couple things...

  1. I added this to the .htaccess file in root:

    RewriteCond %{REQUEST_URI} !^/app/parent_folder/folder_full_of_files

    As @Jon pointed out, my original version above had a mistake ([L]).

  2. I also have an .htaccess file in my /app directory. This might be a quirk about my installation because it is not 100% standard. I can't remember if it's there by default, so I'm mentioning it just in case. IF you don't have one in /app skip this step.

  3. I added this to an .htaccess file in the /folder_full_of_files:

    AuthType Basic
AuthName "restricted area"
AuthUserFile /bla/bla/mysite/.htpasswd
require valid-user

    Make sure the path after AuthUserFile is a fully-qualified path to the .htpasswd file (see next step).

  4. Create the actual .htpasswd file. It's not supposed to be under the document root, but mine is. I think the most important thing is that it's not inside /webroot. I used this command from the terminal and it created the file: 

    htpasswd -c /path/where/it/should/go/.htpasswd whatever_username

    It asks for a plain text password which gets encrypted and written into the file.

That's it. One annoying "gotcha" is that the path in the .htaccess to the auth file must be absolute, which means it will probably have to be edited when moving between local testing and production (unless the two environments are exactly the same). It would be less clunky if relative paths were allowed.

George Claghorn
  • 26,261
  • 3
  • 48
  • 48
emersonthis
  • 32,822
  • 59
  • 210
  • 375
0
  1. You don't need to modify the htaccess file in your document root at all
  2. Make sure you have AllowOverride AuthConfig or AllowOverride All configured for your /app/parent_folder/folder_full_of_files/ directory. Make sure that the directory also has a properly generated htpasswd file (named .htpasswd). You need to use the htpasswd program to generate it, or any number of online generators.
Jon Lin
  • 142,182
  • 29
  • 220
  • 220
  • For #2, what is the exact contents of the htaccess file that should go in `.../folder_full_of_files/` ? Also, what is a "properly generated .htpasswd files? I tried a couple online encrypters but they all returned different things. I tried the `htpasswd -c /bla/bla/.htpasswd username` command from the terminal and nothing happened. No error. No file. Nothing. – emersonthis Oct 11 '13 at 01:57
  • @Emerson What you have is all you need in the htaccess file in the folder that you want to protect. The `htpasswd` command should prompt for a password when you run that. If all else fails, look in your error logs to see what exactly is causing the 500 server error. – Jon Lin Oct 11 '13 at 02:26
  • I'm using Chrome's "REST Console" extension to send the request with Basic Authentication set to the matching username and plain text password. Should that (if set up correctly) work? – emersonthis Oct 11 '13 at 02:29
  • And, wait. Doesn't the .htaccess file in the root rewrite all urls to /app/webroot ? So would that intercept the direct request to folder_full_of_files/... first if I don't modify it form the CakePHP default? – emersonthis Oct 11 '13 at 02:31
  • I found the error. It's an Apache error: `[Thu Oct 10 22:34:48 2013] [alert] [client 127.0.0.1] /Applications/MAMP/htdocs/mysite/.htaccess: RewriteCond: unknown flag 'L' ` – emersonthis Oct 11 '13 at 02:37
  • @Emerson it's got nothing to do with the auth stuff. It's because you have a `RewriteCond` somewhere that has a `[L]` at the end. That's not a flag for rewrite conditions, only rules. – Jon Lin Oct 11 '13 at 03:26
  • Thanks. I found that late last night. – emersonthis Oct 11 '13 at 13:24