1

Currently I try to prevent access to a directory on my apache2 web-server via .htaccess and basic authentication:

AuthType Basic
AuthName "Private"
AuthUserFile ?/.htpasswd
require valid-user

Lets say directory path is /foo/bar, so .htacccess as well as .htpasswd are located under /foo/bar/.htaccess and /foo/bar/.htpasswd.

Absolute addressing from /foo/bar/.htpasswd doesn't work. My user account has no permissions to access /.

I already tried to address it relative from within the directory. But apache2 resolves relative addresses from the apache2 root directory, i.e. /etc/apache2/.

Actually I only have access to edit content within /foo/bar. I have no control over apache2, too.

Question: How to address the .htpasswd file for AuthUserFile under given limitations?

magic_al
  • 1,930
  • 1
  • 18
  • 26
  • **Absolute addressing from /foo/bar/.htpasswd doesn't work**: Can you clarify what is the problem in this? – anubhava Oct 02 '14 at 08:30
  • Apaches error log states, that it cannot access the file. That's it. I'm pretty sure so, that path is correct since I checked it several times. – magic_al Oct 02 '14 at 10:14

2 Answers2

2

it cannot access the file simply means your full path to password file isn't correct.

It needs to be full system path i.e.

AuthType Basic
AuthName "Private"
AuthUserFile /home/jsmith/foo/bar/.htpasswd
require valid-user
anubhava
  • 761,203
  • 64
  • 569
  • 643
0

There are several methods of accessing .HTACCESS files and here are the ways to prevent access as such.

Apply Low Permissions (Ignore this since it requires root permissions)

The basic guidance for permissions is simple, the lower the number the harder access becomes. Good rule of thumb is keep the number as low as possible where the performance or functionality is not impacted. For most users, setting it to 640 will grant level of access that you need.

Add .HTACCESS Directives

What’s important to note here is that this only works if the attack is external. This won’t protect you from internal attacks (if entire cPanel accout is hacked, for example) This is the .htaccess directive you can use:

PROTECT HTACCESS

Order Deny, Allow Deny from All

Note: This only protects the file from external access.

  • Disable directory browsing

If you do not want to allow your visitors to browse through your entire directory, simply add the piece of 2 lines in your .htaccess in the root directory of your WordPress blog.

disable directory browsing

Options All –Indexes

petergt
  • 79
  • 12