Jump to content
  • Announcements

    • boen_robot

      Guidelines and Netiquette   03/28/2017

      Posting Problems:   Having problems posting your topic? Read through this: To join, you agree to our terms and conditions and fill out and submit a registration form. An activation email will be sent to your email adress, so you'll need to verify your account. After that the account has to be validated by one of the moderators. This will mean that it can take up to a day to be activated. A couple of things to remember to ensure approval: Don't use an email address in one of those $2 four character .com domains eg. xyds.com. These will be deleted and the domain added to the banned list. Don't use an email address that is within a domain with a bad reputation for spam. A Google search is run on every email address and email domain. Don't sign up with an email address that doesn't exist, doesn't work or requires the sender to answer a quiz before their email can get to you. Put your country and or state and city in the signup form. Blank forms will go to the botton of the "to do" list. And make sure that your email address and your country match, saying you're from Alabama and using a .ru email address is not going to get you activated. After a membership is activated the first few posts will be monitored. Posting spam or unapproved topics described in the agreement results in an immediate ban. The email provider and the IP addresses associated with the account will be banned and all posts will be deleted. These strict measures have been deemed necessary to hinder spam. Sorry for any inconvenience this causes, but it's not liable to change. If, after reading this, you still can't post and don't understand why, contact one of the Moderators listed here.   Topic Guidelines   Including the following information can expedite an accurate response from board members: Must be a Specific Problem or Question related to web design and development Include Code in Question (wrap with   for small blocks of code and for longer blocks   ) Include Code Author Include Extra Notes/Modifications/Attempts Include web link to page/file when possible Content Guidelines   You may not post, upload, link to, or email any Content that contains, promotes, gives instruction about, or provides prohibited Content. Prohibited Content includes any Content that breaks any local, state, county, national or international law. Prohibited Content also includes: No direct or indirect advertising or websites, forums, products, services No hijacking of posts (do not post your question in someone elses) Content that infringes upon any rights [ex. MP3s and ROMs] (including, but not limited to, copyrights and trademarks) Abusive, threatening, defamatory, racist, or obscene Viruses or any other harmful computer software False Information or libel Spam, chain letters, or Pyramid schemes Gambling or Illicit drugs Terrorism Hacking or cheating for internet/online games Warez, Roms, CD-Keys, Cracks, Passwords, or Serial Numbers Pornography, nudity, or sexual material of any kind Excessive profanity Invasive of privacy or impersonation of any person/entity Hacking materials or information Posting Tips   There are more BBcodes than there are buttons for on the reply menu. To get the full list, click "BB Code Help" underneath the clickable smilie face menu. Use   for small snippets of code Use   for lengthy snippets of code Use   if your snippet is HTML (optional) Use   if your snippet is SQL (optional) Rules of Conduct   Be nice. There's no need for calling someone stupid if they ask an 'easy' question. Keep your avatars and signatures absolutely child friendly. We have a younger audience on this forum. Keep your language appropriate for the same reason above. Do not PM moderators for help on the forum. Post on the topic, or create a new one.   Spam:   Recently, as you have all without doubt noticed, we have had lots of spam and advertisement on the forum. Therefore, we'd like to alert you as to what to do when you have found any of the aforementioned annoying messages: it. Immediately. Give a clear reason, please, if the advertising is not evident. DO NOT POST! Report, let the post stay as is, and we will get to it, meanwhile if you continue to post as normal in the other threads, it won't be on the top so long. Refrain from PMing the member. This won't help at all, as they are most likely spambots anyway. Thank you.       Images in signatures:   After thinking of users on dial-up, we have decided to enforce the following rules regarding signatures. Please pay heed to them. Respecting these rules is respecting the members on this forum with dial-up. Signature rules: No animated images AT ALL. No matter the amount of animation. Maximum image widthxheight: 300x150 Maximum image (file) size: 15kb Use calm colors. Do not use highly contrasting images in your signature, as this can get really annoying when seeing several posts from one member in the same thread. The same prohibited content goes for images as for posts. Lastly, use common sense. No lengthy signatures please. Save us some scrolling. Thank you.       Links in signatures:   Please understand that w3schools.com only exists because of voluntary work and is barely supported by the advertising littered throughout the tutorials and the forum. So, please, stop advertising other sites. DO not post links that drive traffic away from the w3schools domain - especially to a site that offers similar if not identical information. Please help support the site by keeping individuals on it. Thank you. Here are some guidelines as to what you can put in your signature: w3schools links --> allowed w3.org links --> allowed browser links --> allowed html editor links --> allowed personal sites --> allowed tutorial sites competing with w3schools --> NOT allowed sites completely irrelevant to webprogramming and this forum --> NOT allowed   Thanks for understanding, and for taking the time to read this. ~W3Schools Modstaff~
Sign in to follow this  
kurt.santo

Folder protection via .htaccess

Recommended Posts

Part 1: Create a password file and put it on the serverTo create a password file and put it on the server: 1. Windows - Open Notepad: Click Start, point to Programs, point to Accessories, then click Notepad. Macintosh - Open Text Edit: Double-click your Macintosh HD icon, then double-click the Applications folder, then double-click the TextEdit icon. 2. Open a new blank file and name it: htpasswd 3. Set up one or more username/password combinations using one of the following sites that can generate encrypted UNIX passwords: * New Window http://spectrum.troy.edu/password/ * New Window http://www.flash.net/cgi-bin/pw.pl 4. From the form, copy and paste the username/password combinations into your htpasswd file, noting the following: * Each username/password combination should be on its own line. * Put nothing else in this file. For example: joeuser:33dJ3Dq1oYPd2 5. Using FTP, upload the htpasswd file to your /usr/users/bcusername/ folder on the www2.bc.edu server. Important: * Be sure the FTP transfer mode is set to "ASCII" and not "binary". * Although this password is not easy to read, there are programs on the Internet that can break this password. Part of keeping your passwords secure is not letting anyone get access to this file. For that reason, we recommend that you not put them in the folder with the documents you are protecting, or even the root level of your Web site. We recommend that you put them in the folder whose name is your username: /usr/users/bcusername/ Not in: /usr/users/bcusername/www/ 6. Using FTP, change the name of the file on the server to .htpasswd with nothing before the period.Part 2: Create an .htaccess file in the folder you would like restrictedTo create an .htaccess file in the folder you would like restricted: 1. Windows - Open Notepad: Click Start, point to Programs, point to Accessories, then click Notepad. Macintosh - Open Text Edit: Double-click your Macintosh HD icon, then double-click the Applications folder, then double-click the TextEdit icon. 2. Open a new blank file and name it: htaccess 3. Copy and paste the following text into the file: AuthUserFile /usr/users/myusername/.htpasswd AuthName "YOUR SITE'S NAME" AuthType Basic < Limit GET> require user joeuser < /Limit> 4. Edit the line: AuthUserFile /usr/users/myusername/.htpasswd changing "myusername" to your BC username. 5. Edit the line: AuthName "YOUR SITE'S NAME" The words you put here show up in the authentication dialog box. * In Netscape, this line of text appears in the middle of the following phrase: Enter username and password for "YOUR SITE'S NAME" at www2.bc.edu. Note: You cannot change the surrounding phrase: "Enter username and password for...at www2.bc.edu." For example: AuthName"BC Help Center Restricted Page" appears as the following in Netscape (refer to Figure 1): Figure 1: Example of text that appears on login prompt in Netscape. Figure 1: Example of text that appears on login prompt in Netscape. * In Internet Explorer, this line of text appears with nothing around it. For example: AuthName"BC Help Center Restricted Page" appears as the following in Internet Explorer (refer to Figure 2): Figure 2: Example of text that appears on login prompt in Internet Explorer. Figure 2: Example of text that appears on login prompt in Internet Explorer. 6. In the second to last line, change the word "joeuser" to the username you put in your password file. Important: Do not include the password in this file. For example, to change the username to "anotheruser" this last 3 lines would read: < Limit GET> require user anotheruser < /Limit> -OR- To allow any username/password combination in your password file to access the folder, enter the following for the last 3 lines: <Limit GET POST> require valid-user </Limit> 7. Using FTP, upload your edited htaccess file inside the folder you want restricted on the www2.bc.edu server. Important: Be sure the FTP transfer mode is set to "ASCII" and not "binary". 8. Using FTP, change the name of the file on the server to .htaccess with nothing before the period.Part 3: Test the set upTo test the set up: 1. Open your Web browser and go to the page you have just protected. You should receive an authentication dialog box similar to Figure 1 and 2 above. 2. Enter an incorrect username and password to make sure it fails. 3. Enter the correct username with an incorrect password to make sure it fails. 4. Enter the correct username and password to make sure it works.Limitations to this method of authenticationThe following are limitations to this "basic" method of authentication: * The password is not encrypted as it goes over the network, so it could be sniffed. * The password and username remain in the browser until the user closes their Web browser completely. This means that shared computers or unattended computers are potential security risks. * If the user tries to go to another www2.bc.edu site that has a different username and password, they will get an immediate "access denied" message. They will not even see the authentication dialog box. This is because with basic authentication, the username and password is stored in the browser and the system makes the assumption that for any given server a person has only one username and password. To get past this limitation the user must close all windows of the Web browser, quit the browser, and then launch a new browser session to go to the second location. * The .htaccess restriction only limits access through a Web browser. Other BC students, faculty, and staff who have accounts on the www2 server may be able to retrieve your documents using FTP. Remember that www2 is primarily a public Web server, not designed for restricting confidential documents. For better handling of confidential documents, use New Window MyFiles@bc and New Window WebCT Web.enjoy

Share this post


Link to post
Share on other sites

Here is a great and simple way to implement .htpasswd (plus it encodes the passes in the password listing):http://tools.dynamicdrive.com/password/For an awesome guide on .htaccess and its uses go here:http://www.javascriptkit.com/howto/htaccess.shtml

Share this post


Link to post
Share on other sites

Read all the info and implemented the advice. Tried it and worked. Tried it again and does not work, browser sends my to my "permission needed page". Why could that be? I did not change the pw or username? Now it even does not let me delete the folder I created for testing, strange...Kurt

Share this post


Link to post
Share on other sites
Did you encrypt the usernames/passwords?
It actually works now in a different place. It seems my problem lies again somehow in the display of my remote files. When I try to delete a folder where I placed a .htaccess file it says "Command: RMD folderProtect, Response: 550 folderProtect: Directory not empty". When I go into directory I cannot see any file, and this although I set FileZilla (also tried it with Dreamweaver with same result) to show hidden files. Why could that be? Followed your instructions to transfer as text file and then change file extension/front bit when uploaded. Why do you have to do this? In FileZilla and Dreamweaver you can assign the modes of transfering files to any file extension. I created on for .htaccess (ascii).Another question in same context: How again do you find out what exact path is the folder above your web root? Justsomeguy told me some time ago, but I used it back then and completely forgot how to (apart from asking hosting company).Kurt

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×