Does the website protect the website with the .htaccess file?

Question

Does the website protect the website with the .htaccess file?

I was wondering if protecting the web directory with the .htaccess file (with the .htpasswd file outside the public apache website) is a safe way to protect the directory (and its contents).

Can someone explain Do and Don'ts such protection?

+4

security authentication .htaccess .htpasswd

0plus1 May 15, '09 at 14:35

source share

4 answers

As far as I know, htaccess is easy to hack if it is intercepted (i.e. you log in from an Internet cafe with a network sniffer running). As far as I know , Digest authentication helps overcome this problem.

+1

Paweł polewicz May 18, '09 at 8:36

source share

.htaccess is a fairly standard way to make configuration changes for each directory for resources served by Apache HTTPD, in cases where you do not have access to the main configuration file / do not have root access.

If you have access to the main configuration, it is much easier to have the whole configuration (including authentication) located in one central place (even if it is divided into several files), where it is not so easy to lose sight of. In my experience, I can say that it is only a matter of time before you forget about your .htaccess .

The official documentation mentions several times that you should avoid using .htaccess files whenever possible.

If using .htaccess is your only choice, make sure that you follow the general security measures, as is the case with the basic HTTPD configuration, that is, do not allow unauthorized users to read them, files are read by the server, make sure the directory list is disabled, always make sure that the password is stored in an encrypted / hashed format, etc.

For more information, please check the Apache htaccess tutorial

0

Radim May 15, '09 at 15:07

source share

The .htaccess file is pretty handy, but ... it won’t protect you from someone using your code and reading any file that it wants. If your site (even one small script) will be exploited, as well as .htaccess and other solutions will not protect you, since the hacker will gain the rights of the user executing the script (usually www-data).

This is especially painful in CGI, but other scripts are also hacked.

0

Paweł polewicz May 16, '09 at 10:25

source share

user89021 · Accepted Answer · 2009-05-19T22:55:40+0000

Authentication will be transmitted without protection over the network if you use the standard http protocol. This is not considered safe, as someone might sniff a password.

If you restrict access to https, it is completely safe. This would mean installing and activating the apache module for ssl encrypted http traffic (port 433, https: // in the address bar of the browser) and disabling standard http traffic for this directory on port 80. The username and password will be ssl encrypted. Be sure to choose a good password (long enough and complicated, impossible to guess or brute force).

Configuring Apache can be a daunting task, so take great care to keep it simple and check for possible errors.

It might be a good idea to move the access restriction configuration from the .htaccess file to the main apache configuration file if you have knowledge and control over it. It might also be easier for you to save it in a .htacces file. And “easy” can be safer. Make it look simple and safe, easy to maintain and memorable for you.

This is a simple setup to increase safety and protect against accidents:

If you have php and email configured on the computer where the protected directory is, you can write a simple alarm script. Just a php file "alarm.php" with one line with the php mail function that sends you an email informing you that htaccess protection is not working.

If your path to the domain and directory is “ http://mybox.example.com/secretdir/alarm.php , you can enter it in a browser on another machine, and you should receive this mail while htaccess is open. If it is protected , you can enter your username and password and you will also receive mail.

To do an automatic alarm, you can use another unix block that tries to get this URL every 15 minutes or so. Line for crontab:

* / 15 * * * * user1 wget http://mybox.example.com/secretdir/alarm.php

user1 is the user on this computer who is allowed to run wget, and wget must be installed.

You can disable htaccess protection as a test and receive mail every 15 minutes.

In my experience, a common security flaw is that a directory that you think is protected loses its protection when you change something, and you don’t know, this way you get a message that warns you.

Does the website protect the website with the .htaccess file?

More articles: