I have setup a virtual host with Basic Auth.
<Directory ~ "^/home/www/.*/">
Options Indexes MultiViews FollowSymLinks
AllowOverride All
Order allow,deny
DirectoryIndex index.html index.php
AuthType Basic
AuthName "HALMA"
AuthUserFile /usr/local/apache/passwd/passwords
Require valid-user
Allow from 10.0.0
Satisfy Any
</Directory>
<Files ~ "\.(htaccess|inc|tpl)$">
Order deny,allow
Deny from all
</Files>
( The Files Section could be in a .htaccess, too - same effect)
Now .htaccess, .inc and .tpl files are accessible if the user authenticates successfully to the Basic Auth, which is not the intended behavior. The file restrictions should always be active, preventing any user from accessing critical files, logged-in or not.
I tried moving the Files-Section from vhost config to .htaccess and vice versa, commenting out the 10.0.0.
If I comment out the whole Auth stuff it works.
Would be glad, if someone could point me in the right direction.
Related
I want to lock down /wp-admin/ area with a login and password. On Apache 2.3, I used to config my /var/www/html/wp-admin/.htaccess like this:
AuthType Basic
AuthName "Restricted files"
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>
How the same configuration is done on Apache 2.4?
Apache 2.4 is exactly the same as 2.2 for password protecting a directory. I use this on a number of sites running on 2.4:
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /this/is/your/dir/.htpasswd
Require valid-user
Then you obviously have your .htpasswd file which looks like:
admin:Umvdgh40rXES3ChsKg444
For access to your file in Apache 2.4:
<Files admin-ajax.php>
Require all granted
</Files>
You can view the Apache Documentation for the upgrade by following this link http://httpd.apache.org/docs/2.4/upgrading.html
So I tried using this in the httpd conf at the bottom of the config file. My goal is to have this rule whitelist the wordpress admin to certain ip addresses. We have a quite a few installs on the server and want to protect this. However when placed, it doesn't recognize the rule and over looks it completely. I've tested it in a virtual hosts .htaccess file to verify the code is working
<FilesMatch "^wp\-login">
order deny,allow
deny from all
allow from 1.2.3.4
</FilesMatch>
Any help is appriciated. Bonus point if someone can get it to redirect the user else where as well. Thanks
use this directive and try
<Files wp-admin.php>
Order allow,deny
Deny from all
</Files>
or
<Files wp/-admin.php>
Order allow,deny
Deny from all
</Files>
I have a domain I use for development purposes. In this domain I have several subdirectories with different wordpress installations.
To hide the whole area I made a simple htpasswd protection in the root.
Now I have one of this Wordpress in the domain that uses timthumb library to resize images, and due to the htpasswd, I get "NetworkError: 400 Bad Request" instead of the image.
This is an example of the request that gets the error
http://subdomain.domain.com/WP/wp-content/plugins/plugin-directory/timthumb.php?src=http%3A%2F%2Fsubdomain.domain.com%2FWP%2Fwp-content%2Fuploads%2F2015%2F01%2F012015_valentines_hp_budvase.jpg&w=300&h=620&zc=1
Is there a way to bypass the protection only for that file?
More details on my paths to better read my .htaccess snippets:
I'm in a subdomain pointed to a subdirectory called 'subdomain_folder'
.htaccess I'm working on is located in 'subdomain_folder'
WP is in a subdirectory called 'WP' inside 'subdomain_folder'
Complete Path to WP: '/home/some-folder/public_html/subdomain_folder/WP
Complete Path to Uploads: '/home/some-folder/public_html/subdomain_folder/WP/wp-content/uploads
I tried this:
SetEnvIf Request_URI "^/WP/wp-content/plugins/plugin-dir/timthumb\.php$" allow
AuthType Basic
AuthName "Restricted Area"
AuthUserFile "/home/some-folder/.htpasswds/public_html/subdomain_folder/passwd"
Require valid-user
Order allow,deny
Allow from env=allow
Satisfy any
UPDATE
Someone adviced me that allowing access to timthumb.php file it's pointless, instead I should allow him to make http requests, or allow full access to uploads folders so, I tried the following, allowing requests from localhost ip
AuthType Basic
AuthName "Reserverd Area"
AuthUserFile "/home/some-folder/.htpasswds/public_html/subdomain_folder/passwd"
Require valid-user
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Satisfy Any
Tried both localhost and 127.0.0.1
I even tried to add another .htaccess in the single WP upload folder (where timthumb asks for images) with rule to allow from any
Satisfy Any
Order Allow,Deny
Allow from all
Still I cant' get images shown, and I keep getting the NetworkError: 400 Bad Request" instead of the image.
Last Detail, the .htaccess in the WP directory is a standard wp htaccess --> pastebin.com/8PRqEYQ2
I Found the solution.
The right way is indeed allowing requests from the server itself, but the localhost IP (127.0.0.1) was not the right adress to allow.
I made a Reverse IP Lookup searching for the domain I'm on, and I used that IP.
This is the .htaccess that works
RewriteEngine On
<IfModule mod_authn_file.c>
AuthName "Restricted Area"
AuthUserFile "/home/path-to-passfile/passwd"
AuthType Basic
Require valid-user
Order Deny,Allow
Deny from all
# Use your server ip:
Allow from 111.111.111.11
Satisfy Any
</IfModule>
With this rules I can develop apps using timthumb.php in .htpasswd protected directory.
Criticisms and improvements are welcome :)
I need some help with this simple directory access rules - sorry I just started playing with Apache 2.4 and not done this before.
I have configured Apache 2.4 to a stage where I can see a login for for protected resources and once I enter the user/pass I get access to the protected resourced.
Now I want to do the following which I am not sure how I can get this done.
Web root is set to /var/www
/var/www/login - anyone can access, no auth required as this folder contains login.html and logout.html. ( I got this working)
/var/www - all other contents in the root of my app can only be accessed after authentication. This is the part I don't know how to setup.
My vhost conf looks like this.
NameVirtualHost *:80
<VirtualHost *:80>
ServerAdmin webmaster#dummy-host2.example.com
DocumentRoot "/var/www"
ServerName auth-test.ml.com
ErrorLog "logs/test-error_log"
CustomLog "logs/test-access_log" common
<Directory "/var/www">
AuthFormProvider file
AuthType form
AuthName "Reserved Area"
Session On
SessionCookieName session path=/
require valid-user
# This is the login page
ErrorDocument 401 /login/index.html
# This is the file containing users login data
AuthUserFile /usr/local/apache2/auth/.htpasswd
</Directory>
<Directory /var/www/login>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>
AT the moment when I access the app like http://example.com I expect to see the login.html page returned but I get the following error message:
Unauthorized
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.
Additionally, a 401 Unauthorized error was encountered while trying to use an ErrorDocument to handle the request.
How can I make this work?
Figured it out. It was as simple as using Directory to first deny access to all to the root document and only allow valid users.
Using another Directory to open access to all to the auth folder.
The WordPress article Hardening WordPress suggests that the following can be used in .htaccess to deny access to anyone surfing for wp-config.php:
<files wp-config.php>
order allow,deny
deny from all
</files>
My question: considering my file permissions for wp-config.php are set at 0600, why is adding this code necessary?