Beginner with a .htaccess question

**bigweed** · Apr 29, 2012 10:09

Hi all

Hope this is the right place for this question. I have created a .htaccess in the admin folder of my website, so that the correct username and password has to be entered before access is granted. However, I have to enter the username and password 9 or 10 times before it gets accepted. I am definitely entering it correctly, but it just doesn't seem to get accepted straight away for some reason. The file is as follows:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://www.domain.co.uk/store/admin/ [R]
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /home/domain/htpasswdlocation/.htpasswd
AuthGroupFile /dev/null
require valid-user

Is there something wrong with this code? Sorry, new to all this website design, and cant quite figure out some of these things yet!

Cheers for all help
Naz

**dklynn** · Apr 29, 2012 16:27

Naz,

I use cPanel's Protect Directory function to protect directories. It's just too easy to setup on a production server and setting up a password protection on my test server would be an annoyance.

Please use the [code] ... [/code] wrapper for including code in your posts.

On to your question:

Code:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://www.domain.co.uk/store/admin/$1 [R]
AuthName "Restricted Area" 
AuthType Basic 
AuthUserFile /home/domain/htpasswdlocation/.htpasswd 
AuthGroupFile /dev/null 
require valid-user

The red off is because {HTTPS} has two values, on and . Yes, that was a {null}. Because of this, you'll either have to change to say !on or use the {SERVER_PORT} to match ^80$ (not SSL, the equivalent of off).

The blue $1 is taking advantage of the atom created by the regex to retain the requested URI and not change to the DirectoryIndex in store/admin (where this .htaccess is located).

The downside to the way that you've attempted is that the password file must be read for every request to admin.

Regards,

DK

**dklynn** · Apr 29, 2012 18:09

Naz,

Checking, I've discovered that the above re {HTTPS} was incorrect:

Originally Posted by apache.org

HTTPS

Will contain the text "on" if the connection is using SSL/TLS, or "off" otherwise. (This variable can be safely used regardless of whether or not mod_ssl is loaded).

This is correct as of Apache 2.0 (unless my memory is that bad and it was also valid for Apache 1.x).

The {SERVER_PORT} information is still good.

Regards,

DK

**ppostma1** · Apr 30, 2012 07:40

It all depends on what you need out of it, but doesnt:

RewriteCond %{HTTPS} off
RewriteRule (.*) https://www.domain.co.uk/store/admin/$1 [R]

redirect *any non-https access to admin? My thought is you want /store/admin/(.*) instead of .*

**dklynn** · Apr 30, 2012 16:06

ppost,

My thought was that bw's .htaccess was in the admin directory per

Originally Posted by bigweed

Hope this is the right place for this question. I have created a .htaccess in the admin folder of my website ...

Did I misread it?

Regards,

DK

**ppostma1** · May 1, 2012 07:27

ah!! now I can see what you are asking.
Is this a known, single server, a cloud, a shared environment?

I tried that on a multi-server environment before, and each box give its credential/login, but every time I request a page I might not be given the same box to authenticate it. Was forced to login until I had hit up nearly every box. Had to move the login to database powered session.

**ppostma1** · May 1, 2012 07:31

If you know the box is static, Firefox plus some tools will help out. Live HTTP Headers, View Cookies.
You can watch the live header POST data, receive cookie, right click on the page and select info to get the list of cookies and headers specific to the page. They will tell you what is going on. For instance, if its a 407, 404 causing you to re-login etc.

**bigweed** · May 1, 2012 12:37

Hi, and thanks for all the replies. I have been doing some reading on this Rewrite cond rule, but am still confused as to what has been said above. Sorry, but very new to all this, and I have never done web design before! Thought it would be easier to learn whole doing it, rather than just read about it!

Anyway, what I am trying to do is two things. First, I want to make sure that anyone who access the domain.co.uk/Store/Admin folder needs to enter the correct password before they can gain access. Second, I want to force the domain.co.uk/Store/Admin area to always load as HTTPS rather than HTTP.

My website is on a shared hosting package with a website hosting company, so not sure how much I can change settings-wise. One thing I cant do is use the Protect Directories feature in cPanel, as I get a message about Frontpage extensions when I try and this always stops me doing it.

Having read all the replies above, I am still confused as to what I should do. Should I change the .htaccess file to the following:

Code:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://www.domain.co.uk/store/admin/$1 [R]
AuthName "Restricted Area" 
AuthType Basic 
AuthUserFile /home/domain/htpasswdlocation/.htpasswd 
AuthGroupFile /dev/null 
require valid-user

Also, really sorry but not sure what you mean by 'Is it a static box'. If you can tell me what that means I can find out. I am so lame at all this!!

Thanks for the help!
Naz

**dklynn** · May 1, 2012 16:12

Naz,

Assuming that you can add the correctly encrypted password to .htpasswd, it seems okay. However, using a control panel (don't you have a control panel available?) makes it trivial as they take care of all the nitty-gritty details of the encryption, location of the .htpasswd and setting the valid-user.

Regards,

DK

**ppostma1** · May 2, 2012 08:16

Static box, the old, traditional way of web hosting where 1 single computer is configured to host or run the website.
The alternatives are clustered hosting, distributed, or cloud. Where multiple computers could be running the website or service.

When using a server level login, .htaccess, apache, php-pear, they all store a credential on that 1 computer alone, the local hard drive. That login only works if the website goes to the same computer every time.

**bigweed** · May 7, 2012 11:39

I have checked with my hosting company, and my website is resolving to one server.

Also, I have now changed the .htaccess to the following:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://www.domain.co.uk/store/admin/$1 [R]
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /home/domain/protectstore/.htpasswd
AuthGroupFile /dev/null
require valid-user

But I am still having to enter username and password multiple times. Do you have any other suggestions please? I cant use the cPanel to add a .htaccess, as I dont have access to do this with my hosting.

Many thanks
Naz

**TechnoBear** · May 7, 2012 12:10

Originally Posted by bigweed

I cant use the cPanel to add a .htaccess, as I dont have access to do this with my hosting.

I think dklynn was suggesting you use the cPanel "Password Protect Directory" function to add the password protection, rather than trying to do it yourself via the .htaccess file. Does your hosting account not use cPanel?

**dklynn** · May 7, 2012 15:03

Thanks, TB, correct!

The problem with creating your own htpasspw file is that you are required to create the encrypted passwords in a specific manner (with an encryption tool?). If you're not doing that, your homemade password protection will not work.

Me, I'm lazy enough to use cPanel's "Password Protect Directories" function ... with great success.

Regards,

DK

User Tag List

Thread: Beginner with a .htaccess question

Thread Tools

Display

Beginner with a .htaccess question

Tags for this Thread

Bookmarks

Bookmarks

Posting Permissions