How to protect a site using .htaccess

Struggling with PHP or HTML? Got any tips? Drop in here to share your questions and answers. Newbies and gurus welcome!
Post Reply
User avatar
Paul
Development Team Leader
Development Team Leader
Posts: 1132
Joined: October 20th, 2007, 2:23 pm

How to protect a site using .htaccess

Post by Paul »

A set of mod_rewrite conditions (below) that you can tag onto the end of your .htaccess file will block a good number of common exploit attempts while interferring as little as possible with legitimate usage.

Each server configuration is unique. If you are forwarded to your home page and receive a 403 Forbidden error, you will know these settings worked incorrectly on your site. If a particular rule breaks some feature of your site, just comment it out by placing a # in front of the offending rule.

Directions
1. Append the following code to the .htaccess file in the same directory as your Joomla! index.php file (often your public_html directory).
2. Test your site.
3. If the site produces errors, comment out all of these lines, and uncomment and test one line at a time until you find the problem directive(s).
4. Try to tweak these directives to work on your server, or leave them commented out.

Code:

Code: Select all

########## Begin - Rewrite rules to block out some common exploits
#                              
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
# 
########## End - Rewrite rules to block out some common exploits
User avatar
repair1
Rank 0
Rank 0
Posts: 1
Joined: October 26th, 2009, 1:31 am

Re: How to protect a site using .htaccess

Post by repair1 »

There are numerous methods to password protecting areas of your site, some server language based (such as ASP, PHP or PERL) and client side based, such as JavaScript
. JavaScript is not as secure or foolproof as a server-side option, a server side
challenge/response is always more secure than a client dependant challenge/response. htaccess is about as secure as you can or need to get in everyday life, though there are ways above and beyond even that of htaccess. If you aren't comfortable enough with htaccess, you can password protect your pages any number of ways, and JavaScript Kit has plenty of password protection scripts for your use.

The first thing you will need to do is create a file called .htpasswd. I know, you might have problems with the naming convention, but it is the same idea behind naming the htaccess file itself, and you should be able to do that by this point. In the htpasswd file, you place the username and password (which is encrypted) for those whom you want to have access.
User avatar
mark09
Rank 0
Rank 0
Posts: 1
Joined: November 6th, 2009, 12:13 pm
Contact:

Re: How to protect a site using .htaccess

Post by mark09 »

I have search in the net and this is what I've found:

Password protect your website using .htaccess
This tutorial covers web-based user authentication using HTAccess. Web-based authentication denies web access to visitors who do not give a valid username and password. This feature allows webmasters to restrict access to certain directories.

You will need the following basic skills:
Ability to access files in your COE user account
Ability to use a text editor (such as pico, simpletext, or notepad)
Working knowledge of paths and basic filesystem navigation

The following is an example use of the .htaccess file. Let's assume that it resides at /nfs/stak/u4/z/zork/public_html/private/.htaccess

AuthUserFile /nfs/stak/u4/z/zork/public_html/private/.htpasswd
AuthGroupFile /dev/null
AuthName "Secret Stuff"
AuthType Basic
require valid-user

The .htaccess file affects the directory in which it is placed, so in this example, any visitor requesting would be presented with an authentication request.

The .htaccess file also affects directories recursively below it. Therefore, requesting would yield the same authentication request unless ~zork/private/evenmore had a .htaccess file of its own.

The first line, starting with AuthUserFile, tells the webserver where to find your username/password file. We'll create that file in a minute. For now, change the AuthUserFile line as necessary for your use.

Notice that the AuthName in the example, "Zorks Secret Section," is used in the authentication request.

Using your favorite text editor, create a file similar to the example, replacing AuthUserFile and AuthName with values for your situation. Be sure to name the file .htaccess.

Now that we understand the basic .htaccess model, how can we specify who is allowed? We'll create an .htpasswd file named in the AuthUserFile line above.

To create an .htpasswd file, go to the directory you specified in AuthUserFile. In the example, this is /nfs/stak/u4/z/zork/public_html/private/. Then use the htpasswd program with the -c switch to create your .htpasswd in the current directory. (You have to do this in ssh)

Type htpasswd -c .htpasswd username to create the file and add "username" as the first user. The program will prompt you for a password, then verify by asking again. You will not see the password when entering it here:

flop 3% htpasswd -c .mypasswds tacodog Adding password for user tacodog New password: type password Re-type new password: re-type password

To add more users in the future, use the same command without the -c switch: htpasswd .htpasswd bob will add username "bob" to your .htpasswd file.

To delete users, open the .htpasswd file in a text editor and delete the appropriate lines:

username:v3l0KWx6v8mQM
bob:x4DtaLTqsElC2

NOTE: in order for this to work both files must be readable by the webserver. Execute the following command in the same directory as the two files:

flop 3% chmod o+r .htaccess .htpasswd
User avatar
amereservant
Rank 0
Rank 0
Posts: 2
Joined: April 22nd, 2010, 8:47 pm

.htaccess Mediawiki short URLs with Joomla installed

Post by amereservant »

Hey Paul,
I installed MediaWiki in addition to my existing Joomla site and it worked great until I tried enabling MediaWiki shortURLs. I tried all sorts of different things and went over and over the examples at http://www.mediawiki.org/wiki/Manual:Short_url and searched all over for someone with the same issue and never had any luck finding the answer. After hours of searching, reading Apache's docs on mod_rewrite, and trying a wide variety of things, I just couldn't figure out how to get the URLs properly added to the .htaccess file for Joomla and get it to play friendly.

I came across your site in the search results and since it was familiar, I figured this is a good place to post this and hopefully help others out as well if it can finally get solved. I found some help that partially fixed my issue, but not completely since the image files aren't properly linked. See what I mean at http://myownserver.info/wiki/ with the logo.

Here's what my directory structure looks like:
Joomla is in my website's root directory along with the .htaccess file.
Mediawiki is in the sub-directory w/.

Now here's my .htaccess file in the root folder:

Code: Select all

RewriteEngine On

########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits

#  Uncomment following line if your webserver's URL
#  is not directly related to physical file paths.
#  Update Your Joomla! Directory (just / for root)
RewriteBase /

########## Begin - Joomla! core SEF Section
#
RewriteCond %{REQUEST_URI} ^/wiki
# RewriteRule .* /index.php [L]

RewriteRule ^wiki/(.*)$ /w/index.php?title=$1 [PT,L,QSA]
RewriteRule ^wiki/*$ /w/index.php [L,QSA]
RewriteRule ^wiki$ /w/index.php [L,QSA]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d

RewriteCond %{REQUEST_URI} !^/index.php
RewriteCond %{REQUEST_URI} (/|\.php|\.html|\.htm|\.feed|\.pdf|\.raw|/[^.]*)$  [NC]
RewriteRule (.*) index.php
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
#
########## End - Joomla! core SEF Section
I am pretty sure the issue is with there not being the following lines above the wiki/ rules, but I do not know how to fix it and I'm hoping you can help me out on this:

Code: Select all

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
Thanks again and like I said, I REALLY hope this helps others out because nothing I found would work.
User avatar
Paul
Development Team Leader
Development Team Leader
Posts: 1132
Joined: October 20th, 2007, 2:23 pm

Re: How to protect a site using .htaccess

Post by Paul »

Can you move the Joomla to a folder along with .htaccess instead of root? so this way, you and separate the joomla and wiki.....
User avatar
David019
Rank 0
Rank 0
Posts: 1
Joined: July 8th, 2010, 8:39 am
Contact:

Re: How to protect a site using .htaccess

Post by David019 »

There are numerous methods to password protecting areas of your site, some server language based (such as ASP, PHP or PERL) and client side based, such as JavaScript.
User avatar
morean51
Rank 0
Rank 0
Posts: 3
Joined: March 5th, 2011, 3:07 am
Contact:

Re: How to protect a site using .htaccess

Post by morean51 »

thanks!!! was having bit of same question
.....
User avatar
andrew15
Rank 0
Rank 0
Posts: 1
Joined: August 15th, 2011, 1:55 am
Contact:

Re: How to protect a site using .htaccess

Post by andrew15 »

Thanks a lot i was searching for this for very long time.
User avatar
arringtond
Rank 1
Rank 1
Posts: 5
Joined: October 13th, 2011, 8:51 am

Re: How to protect a site using .htaccess

Post by arringtond »

I remember one news bit when dirt 3 game codes were made open to the public because they forgot to add an htcaccess technique to their web site. It was rather a clumsy mistake on their part considering the level of confidence which should be posted when using this.

I mean, you just do not append your database content on your web site. It really is important to use this so that users are not able to given access to components they are not authorized to view.
User avatar
gsamuel
Rank 0
Rank 0
Posts: 3
Joined: March 14th, 2012, 7:24 pm

Re: How to protect a site using .htaccess

Post by gsamuel »

I think that .htcaccess is a very simple thing you could use but actually very helpful in your bid to protect the site from unauthorized access from all roots. I remember early last year, there was some big news that broke when one of the leading game production companies got hacked with some 3 million individual promo codes just because their page was not protected. A very simple htcaccess could have avoided that actually.
Post Reply