29

I am building my personal website using Jekyll and hosting it at github-pages. I would like to have a password protected area (just password protected directory, not the whole website). I have tried a few options and tricks to get htaccess to work but failed.

I would like to know if someone managed to use htaccess, or any other method, to protect a directory on github-pages.

Listing solutions which did not work for me (or I failed to get them to work):
*Flohei.
*Jeremy Ricketts.

M. A. Kishawy
  • 5,001
  • 11
  • 47
  • 72
Mustafa
  • 1,814
  • 3
  • 17
  • 25

4 Answers4

22

GitHubPages (like Bitbucket Pages and GitLab Pages) only serve static pages, so the only solution is something client side (Javascript).

A solution could be, instead of using real authentication, just to share only a secret (password) with all the authorized persons and implement one of the following scheme:

  1. put all the private files in a (not listed) subdirectory and name that with the hash of the chosen password. The index page asks you (with Javascript) for the password and build the correct start link calculating the hash.

    See for example: https://github.com/matteobrusa/Password-protection-for-static-pages

    PRO: Very simple approach protecting a whole subdirectory tree

    CONS:

    • possible attack: sniffing the following requests to obtain the name of the subdirectory
    • the admins on the hosting site have access to the full contents

  2. crypt the page with password and decrypt on the fly with javascript

    see for example: https://github.com/robinmoisson/staticrypt

    PRO: no plaintext page code around (decrypting happens on the client side)

    CONS:

    • just a single page, and need to reinsert the password on every refresh
    • an admin could change your Javascript code to obtain the password when you insert it
Carlo Bellettini
  • 1,130
  • 11
  • 20
  • 2
    I also found another tool to encrypt a single html page here: https://github.com/MaxLaumeister/clientside-html-password – Leszek Szary Jun 19 '19 at 20:02
  • 2
    @LeszekSzary Running the risk of getting too promotional, it's worth mentioning that my tool (that you linked) uses key derivation and salting, so it's more secure in theory than staticrypt. – Maximillian Laumeister Nov 23 '19 at 22:21
6

One option is to use Cloudflare Access to control access at the DNS level. After setting up a custom domain for your Git pages using Cloudflare for DNS, you can use their Access rules policy to require authentication at the specified url path.

This could still be bypassed if someone is familiar with bypassing DNS blocks.

https://www.cloudflare.com/products/cloudflare-access/

user3546867
  • 61
  • 1
  • 1
3

You can give a try to Jekyll Auth and if you run into troubles, this issue can be useful.

David Jacquel
  • 51,670
  • 6
  • 121
  • 147
  • 2
    This solution requires that visitors have github accounts. It doesn't work for me (I am sharing that page within a large academic collaboration). I am looking for basic http protection with a username and a password. – Mustafa Nov 21 '14 at 16:37
0

You can use Render to deploy your static Web app. It has a npm package that encrypted your html files and user can not see it in browser. So you can use frontend password validation.

Amin Gholami
  • 27
  • 2
  • 8