SitePoint Sponsor

User Tag List

Results 1 to 13 of 13
  1. #1
    SitePoint Member
    Join Date
    Apr 2012
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Beginner with a .htaccess question

    Hi all

    Hope this is the right place for this question. I have created a .htaccess in the admin folder of my website, so that the correct username and password has to be entered before access is granted. However, I have to enter the username and password 9 or 10 times before it gets accepted. I am definitely entering it correctly, but it just doesn't seem to get accepted straight away for some reason. The file is as follows:

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://www.domain.co.uk/store/admin/ [R]
    AuthName "Restricted Area"
    AuthType Basic
    AuthUserFile /home/domain/htpasswdlocation/.htpasswd
    AuthGroupFile /dev/null
    require valid-user

    Is there something wrong with this code? Sorry, new to all this website design, and cant quite figure out some of these things yet!

    Cheers for all help
    Naz
    Last edited by TechnoBear; Apr 29, 2012 at 10:16. Reason: Example URL delinkified.

  2. #2
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,644
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    Naz,

    I use cPanel's Protect Directory function to protect directories. It's just too easy to setup on a production server and setting up a password protection on my test server would be an annoyance.

    Please use the [code] ... [/code] wrapper for including code in your posts.

    On to your question:

    Code:
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://www.domain.co.uk/store/admin/$1 [R]
    AuthName "Restricted Area" 
    AuthType Basic 
    AuthUserFile /home/domain/htpasswdlocation/.htpasswd 
    AuthGroupFile /dev/null 
    require valid-user
    The red off is because {HTTPS} has two values, on and . Yes, that was a {null}. Because of this, you'll either have to change to say !on or use the {SERVER_PORT} to match ^80$ (not SSL, the equivalent of off).

    The blue $1 is taking advantage of the atom created by the regex to retain the requested URI and not change to the DirectoryIndex in store/admin (where this .htaccess is located).

    The downside to the way that you've attempted is that the password file must be read for every request to admin.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  3. #3
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,644
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    Naz,

    Checking, I've discovered that the above re {HTTPS} was incorrect:

    Quote Originally Posted by apache.org
    HTTPS

    Will contain the text "on" if the connection is using SSL/TLS, or "off" otherwise. (This variable can be safely used regardless of whether or not mod_ssl is loaded).
    This is correct as of Apache 2.0 (unless my memory is that bad and it was also valid for Apache 1.x).

    The {SERVER_PORT} information is still good.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  4. #4
    SitePoint Member
    Join Date
    Apr 2012
    Location
    Michigan, United States
    Posts
    10
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It all depends on what you need out of it, but doesnt:

    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://www.domain.co.uk/store/admin/$1 [R]

    redirect *any non-https access to admin? My thought is you want /store/admin/(.*) instead of .*

  5. #5
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,644
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    ppost,

    My thought was that bw's .htaccess was in the admin directory per
    Quote Originally Posted by bigweed
    Hope this is the right place for this question. I have created a .htaccess in the admin folder of my website ...
    Did I misread it?

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  6. #6
    SitePoint Member
    Join Date
    Apr 2012
    Location
    Michigan, United States
    Posts
    10
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ah!! now I can see what you are asking.
    Is this a known, single server, a cloud, a shared environment?

    I tried that on a multi-server environment before, and each box give its credential/login, but every time I request a page I might not be given the same box to authenticate it. Was forced to login until I had hit up nearly every box. Had to move the login to database powered session.

  7. #7
    SitePoint Member
    Join Date
    Apr 2012
    Location
    Michigan, United States
    Posts
    10
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you know the box is static, Firefox plus some tools will help out. Live HTTP Headers, View Cookies.
    You can watch the live header POST data, receive cookie, right click on the page and select info to get the list of cookies and headers specific to the page. They will tell you what is going on. For instance, if its a 407, 404 causing you to re-login etc.

  8. #8
    SitePoint Member
    Join Date
    Apr 2012
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi, and thanks for all the replies. I have been doing some reading on this Rewrite cond rule, but am still confused as to what has been said above. Sorry, but very new to all this, and I have never done web design before! Thought it would be easier to learn whole doing it, rather than just read about it!

    Anyway, what I am trying to do is two things. First, I want to make sure that anyone who access the domain.co.uk/Store/Admin folder needs to enter the correct password before they can gain access. Second, I want to force the domain.co.uk/Store/Admin area to always load as HTTPS rather than HTTP.

    My website is on a shared hosting package with a website hosting company, so not sure how much I can change settings-wise. One thing I cant do is use the Protect Directories feature in cPanel, as I get a message about Frontpage extensions when I try and this always stops me doing it.

    Having read all the replies above, I am still confused as to what I should do. Should I change the .htaccess file to the following:

    Code:
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://www.domain.co.uk/store/admin/$1 [R]
    AuthName "Restricted Area" 
    AuthType Basic 
    AuthUserFile /home/domain/htpasswdlocation/.htpasswd 
    AuthGroupFile /dev/null 
    require valid-user
    Also, really sorry but not sure what you mean by 'Is it a static box'. If you can tell me what that means I can find out. I am so lame at all this!!

    Thanks for the help!
    Naz

  9. #9
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,644
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    Naz,

    Assuming that you can add the correctly encrypted password to .htpasswd, it seems okay. However, using a control panel (don't you have a control panel available?) makes it trivial as they take care of all the nitty-gritty details of the encryption, location of the .htpasswd and setting the valid-user.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  10. #10
    SitePoint Member
    Join Date
    Apr 2012
    Location
    Michigan, United States
    Posts
    10
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Static box, the old, traditional way of web hosting where 1 single computer is configured to host or run the website.
    The alternatives are clustered hosting, distributed, or cloud. Where multiple computers could be running the website or service.

    When using a server level login, .htaccess, apache, php-pear, they all store a credential on that 1 computer alone, the local hard drive. That login only works if the website goes to the same computer every time.

  11. #11
    SitePoint Member
    Join Date
    Apr 2012
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have checked with my hosting company, and my website is resolving to one server.

    Also, I have now changed the .htaccess to the following:

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://www.domain.co.uk/store/admin/$1 [R]
    AuthName "Restricted Area"
    AuthType Basic
    AuthUserFile /home/domain/protectstore/.htpasswd
    AuthGroupFile /dev/null
    require valid-user

    But I am still having to enter username and password multiple times. Do you have any other suggestions please? I cant use the cPanel to add a .htaccess, as I dont have access to do this with my hosting.

    Many thanks
    Naz

  12. #12
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    6,083
    Mentioned
    255 Post(s)
    Tagged
    5 Thread(s)
    Quote Originally Posted by bigweed View Post
    I cant use the cPanel to add a .htaccess, as I dont have access to do this with my hosting.
    I think dklynn was suggesting you use the cPanel "Password Protect Directory" function to add the password protection, rather than trying to do it yourself via the .htaccess file. Does your hosting account not use cPanel?

  13. #13
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,644
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    Thanks, TB, correct!

    The problem with creating your own htpasspw file is that you are required to create the encrypted passwords in a specific manner (with an encryption tool?). If you're not doing that, your homemade password protection will not work.

    Me, I'm lazy enough to use cPanel's "Password Protect Directories" function ... with great success.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •