1

I need to protect my whole website (It's just for development at the moment) with a password. So I created a .htaccess and a .htpassword file. The .htaccess contains

AuthUserFile /my/absolute/path/.htpassword
AuthName "Protected"
AuthType Basic
Require valid-user

My directory tree looks like this

/var/www
|--- file.php
|--- .htaccess
|--- dir
|   |--- text.html
|--- file2.php

If I try to access file.php or file2.php (any file which is directly in /var/www), the webpage is protected by the password. However, I can access the file in the subdirectory (/dir/text.html) without any authentication. I'm absolutely certain that there's no .htaccess in /var/www/dir (I use ls -A).

I've seen on the web that .htaccess is supposed to have an effect on the directory and ALL subfolders, and that's what I want.

Do you know why it doesn't have any effect on the file in subdirectory in my case? If so, how can I make it work?

MrWhite
  • 11,643
  • 4
  • 25
  • 40
Peni
  • 111
  • 5
  • 2
    Your basic authentication in the `.htaccess` file in the document root _should_ affect the entire directory tree, unless you have other `.htaccess` files in subdirectories (or `` containers in the server config) that override this. However, if you've previously accessed `/dir/text.html` before you implemented the authentication then it's possible you are seeing a cached response. (?) Make sure all local caches are cleared (try a different browser). Is there a proxy server on the network? – MrWhite Mar 02 '18 at 13:11
  • How about `/var/www/text.html`? Does it require authentication? – Ondřej Xicht Světlík Mar 02 '18 at 21:12
  • 1
    I feel so stupid it was a cache problem... The thing that was weird is that it did ask again for file.php but not for text.html. Anyway it works, thanks MrWhite. – Peni Mar 05 '18 at 07:54

2 Answers2

-1

you can write custom code in php for session login and forbidden rest access on header 

session_start();
if(isset($_SESSION['user']))
{echo "do the stuff";}
else
{header("location:login");}
MrWhite
  • 11,643
  • 4
  • 25
  • 40
Praveen PL
  • 1
  • I don't want anybody to access the website even the login page. So I can't use php. And .htaccess features are perfect for what I want to do – Peni Mar 02 '18 at 08:48
  • Order allow,deny Deny from all – Praveen PL Mar 02 '18 at 08:55
  • I don't understand your last comment. I should place Order allow,deny Deny from all in my htaccess ? – Peni Mar 02 '18 at 12:31
  • This answer does not address the specific problem in the question. (Also, simply adding that `` directive will simply block _everyone_?!) – MrWhite Mar 02 '18 at 12:54
-1

If you have static ip, you can simply allow access to website only from one IP in your virtual host config:

<Directory /> Order Deny,Allow Deny from all Allow from 127.0.0.1 #your IP </Directory>

Ollie
  • 68
  • 9
  • Multiple IP will access it and these IP can change at anytime, it's not a solution. Besides it doesn't help with the problem I have : Your .htaccess will still not have effect on subdirectory – Peni Mar 02 '18 at 12:29
  • 2
    @Peni "Your .htaccess will still not have effect on subdirectory" - Ollie's code (in it's current state) is intended to go in the server config, not `.htaccess` - but this _should_ affect subdirectories, just as your password-protect code _should_ also affect subdirectories. – MrWhite Mar 02 '18 at 12:51
  • 1
    Sorry it was a missclick, I unmarked it. Oh ok i didn't understand it was for server configuration. And yes it should affect subdirectories but I have no idea why it doesn't work... Of course I could copy past my .htaccess in every directory but I don't think that's an acceptable solution. – Peni Mar 02 '18 at 12:54