I have a number of .html files on my web-server which I store in a specific folder. I have to protect them from unwanted users and let only a few people to be able to access this folder.
I would like to protect this specific folder, so users have to log in, but I don't want to use any PHP framework etc. It's only a simple HTML website created without PHP.
I have my own dedicated server, so there are some options to do it. For now I did basic HTTP Auth based on .htaccess and .htpasswd files, but I've just read it's no really secure because password is sent as plain text. I've found a similar option called .htdigest, but maybe there are more secure and also easy to set up ways to secure folder? Hope someone can recommend me a method to make it secure? Here is what I have on my server:
using CloudFlare Service (paid plan) which allows me to use SSL,
can install additional modules if needed.
Thank you for help!
you can use allow/deny directive
Order allow,deny
Deny from all
it will give user response code 403 forbidden page but if you want to return 404 response code then you can use below
RedirectMatch 404
references : http://httpd.apache.org/docs/current/sections.html
Related
I'm working on a Django 3.2 project which is hosted using Apache 2.4 server. The user authentication in this project is handled using HTTP Basic Authentication configured using LDAP.
I have implemented a sign up feature for new users. For that I have created the necessary form, view, template and url pattern in the Django project. The urlpattern to visit the sign up form is /signup.
My goal is to make the sign up urlpattern accessible to anyone i.e. prevent the Basic Authentication from showing when the sign up urlpattern is requested by user in the browser.
JFI, the complete Apache configuration is already complete and works already.
To achieve this, I have used the "LocationMatch" directive in the Apache configuration within the VirtualHost directive:
...
<LocationMatch "^/signup$">
Require all granted
</LocationMatch>
...
With this the Basic Authentication is removed when /signup URI is requested, but the server always redirects to another url which ultimately requires authentication hence giving the basic auth pop-up.
$ curl -I https://*****.com/signup
HTTP/1.1 302 Found
...
I have tried to redirect the request explicitly to /signup whenever the is /signup. This ends up in an endless loop of redirections.
RewriteEngine on
...
RewriteRule ^/signup$ /signup [R=301,L]
I have also tried other ways by setting environment variables within Apache configuration, I have restarted Apache whenever a change was done in config, I have cleared browser cache etc., but nothing seems be working.
FYI, I can access the /signup url successfully after logging into the application which is not useful for me.
I'm afraid I cannot share the complete source (apache config, django source etc.) here as the project is not completely open source yet. But I'm sure your suggestions would surely help me in some way.
I want to fix the redirection. I have no clue what I'm missing out here.
I have a custom domain example.com that is redirecting to my API gateway api-example.com, but it doesn't seem to pass the user-agent field, all my user-agent values are AmazonAPIGateway_5rfp2g9h9b.
If I call directly the api-example.com then it works fine, but if I call example.com, doesn't work.
Any idea on how I could pass the correct user-agent HTTP Header?
Thanks
It’s not clear what you mean by redirect or the domains you have listed, so you have two custom domains ? And if so how did you do that, Cloudfront with a custom origin? And what type of integration request do you have? Is this a REST or HTTP API? Probably why you are getting down voted because you don’t have any detail and the domains don’t make sense.
Either way in your API make sure you have the user-angent field defined where it is applicable:
Request Part of your API, and make sure your integration request is forwarding this header
Likewise make sure Cloudfront forwards the ‘user-agent’ header, that it is also whitelisted if you are using Cloudfront
Note this header comes from your Web browser or SDK being used sometimes sets this too. So if you don’t set this header for whatever reason that could be a problem, I don’t know if for example when you say from this domain that means you are using a hosted website, and another means making a request from Postman, etc.
Short answer: Validate the contents of your header
Ref AWS user-agent redirect here.. as listed below.
Redirects and HTTP user-agents:
..Programs that use the Amazon S3 REST API should handle redirects either at the application layer or the HTTP layer. Many HTTP client libraries and user agents can be configured to correctly handle redirects automatically; however, many others have incorrect or incomplete redirect implementations.
Before you rely on a library to fulfill the redirect requirement, test the following cases:
Verify all HTTP request headers are correctly included in the redirected request (the second request after receiving a redirect) including HTTP standards such as Authorization and Date.
Verify non-GET redirects, such as PUT and DELETE, work correctly.
Verify large PUT requests follow redirects correctly.
Verify PUT requests follow redirects correctly if the 100-continue response takes a long time to arrive.
HTTP user-agents that strictly conform to RFC 2616 might require explicit confirmation before following a redirect when the HTTP request method is not GET or HEAD. It is generally safe to follow redirects generated by Amazon S3 automatically, as the system will issue redirects only to hosts within the amazonaws.com domain and the effect of the redirected request will be the same as that of the original request...
Optional/Additional help, I was trying to understand your description, if you're going across domains, thats CORS.
Please consider CORS which you seem to be missing, please see configuration
here.
Also very important you Enabling CORS support for a resource and its methods does not recursively enable it for child resources and their methods.
If you want to setup your custom header for
user-agent
Setup CORS in Console
How to setup from console under the resources enable the CORS.
Setup your Headers
As a last step you have to REdeploy to a stage, for the settings to take effect!
I have the project to set up a git server for my school with a web interface to create repositories and display them. This web part will be handled by Django, which knows the users.
Now the problem: I want authentication to pull and push private repositories but I can't use SSH to handle that part (the IT guys don't want to do support on that). The HTTP protocol is read-only without "complexe WebDAV" (according to the official doc) and use .htaccess as authentication. The problem with .htaccess is to manage them with Django: I tried to use a Django user's hash in it but it didn't work. And, finally, the Git protocol is read-write but it lacks authentication.
Summing up:
I want authentication linked with Django's users database. (To avoid having multiple places with same data)
No SSH
Avoid WebDAV and .htaccess
With these constraints I found that rewriting the git daemon (code on github) to handle authentication would be an idea but I don't know for sure how a Git client would react to that.
If you guys have another idea or want to tell me how better it would be to use WebDAV/.htaccess/..., I will be glad to hear it !
You could setup an Apache server (even one with https like I do in my config!), except you would ask your wsgi application to handle the authentication.
See "Access Control Mechanisms", in the mod_wsgi:
AuthType Basic
AuthName "Top Secret"
AuthBasicProvider wsgi
WSGIAuthUserScript /usr/local/wsgi/scripts/auth.wsgi
Require valid-user
The auth.wsgi script can check the credentials against your Django users database.
That solution means calling the git-http-backend (smart http transport), which is ore efficient than WebDAV.
Is there any reliable way to allow only Selenium to access the site?
When I use $this->open($url) from the PHPUnit's SeleniumTestCase this makes a regular request to the server. How can I force this method to send some additional headers?
You could add auth to your .htaccess for that site/subfolder and preprend the simple auth user#password to your url before each request.
Reading about simple auth with .htaccess and .htpasswd:
http://www.htaccesstools.com/htaccess-authentication/
If you want to add additional headers have a look at the selenium.addCustomRequestHeader([key],[value]); function.
I would allow access to the site only from the Selenium machine's IP, i.e. via .htaccess or web server config directives.
I'm making an HTTP server in c++, I notice that the way apache works is if you request a directory without adding a forward slash at the end, firefox still somehow knows that it's a directory you are requesting (which seems impossible for firefox to do, which is why I'm assuming apache is doing a redirect).
Is that assumption right? Does apache check to see that you are requesting a directory and then does an http redirect to a request with the forward slash? If that is how apache works, how do I implement that in c++? Thanks to anyone who replies.
Determine if the resource represents a directory, if so reply with a:
HTTP/1.X 301 Moved Permanently
Location: URI-including-trailing-slash
Using 301 allows user agents to cache the redirect.
If you wanted to do this, you would:
call stat on the pathname
determine that it is a directory
send the necesssary HTTP response for a redirect
I'm not at all sure that you need to do this. Install the Firefox 'web developer' add-on to see exactly what goes back and forth.
Seriously, this should not be a problem. Suggestions for how to proceed:
Get the source code for Apache and look at what it does
Build a debug build of Apache and step through the code in a debugger in such a case; examine which pieces of code get run.
Install Wireshark (network analysis tool), Live HTTP Headers (Firefox extension) etc, and look at what's happening on the network
Read the relevant RFCs for HTTP - which presumably you should be keeping under your pillow anyway if you're writing a server.
Once you've done those things, it should be obvious how to do it. If you can't do those things, you should not be trying to develop a web server in C++.
The assumption is correct and make sure your response includes a Location header to the URL that allows directory listing and a legal 301/302 first line. It is not a C++ question, it is more of a HTTP protocol question, since you are trying to write a HTTP server, as one of the other posts suggests, read the RFC.
You should install Fiddler and observe the HTTP headers sent by other web servers.
Your question is impossible to answer precisely without more details, but you want to send an HTTP 3xx status code with a Location header.