[RESOLVED] Securing PHP site on appache machine

dmacman1962

Hi all,

I know that there are many post in regards to this and this is not totally php related, but the users of this forum are the ones I can count on and feel welcome.

I am setting up my XP pro machine with apache and mysql and php and want to secure the entire www root directory. I already setup my router to forward all port 80 requests to this machine, so it is "open" to the public.

When I am not at home, I want to test and give access to people to test my PHP work, so I decided to "try" and setup the .htaccess and .htpasswd for the root. The problem is, it isn't working. Here is my .htaccess text.

AuthUserFile /.htpasswd
AuthName "Secured Site"
AuthType Basic
require valid-user

Note that my apache server is installed at "C:\wamp\www" the "www" is the root directory and where I have my .htaccess and .htpasswd files.

The .htpasswd file is standard. Example...

username: user
password: password

user:JiTL6VEqzEzxo

When I go to my site http://x.x.x.x/ I see this list of all files and directories in the root directory. I tried this on several machines.

I REALLY appreciate ANY help in this area.

Thanks,

Don

MarkR

Probably, Apache is configured to ignore .htaccess

This is the default, and you should use the AllowOverride command to instruct it to take notice of .htaccess files.

Mark

dmacman1962

Hi Mark,

Thanks for helping.

I checked my httpd.conf file and it is set to allow...

#

AllowOverride controls what directives may be placed in .htaccess files.

It can be "All", "None", or any combination of the keywords:

Options FileInfo AuthConfig Limit

#
AllowOverride all

Unless I am reading this wrong?

Thanks,

Don

MarkR

This option is usually set on a per-directory basis, and set to "None" for the root directory (or volume root directory, on Windows).

Then it's typically set to "all" for directories where web content is placed.

Mark

dmacman1962

Hi Mark,

I don't think thats it, since I moved the file into a sub directory and changed the path to that directory and it still does not work.

I think the problem is...

AuthUserFile /.htpasswd

I have seen on some examples that they have...

/home/user/directoryName/.htaccess

I am not sure on an apache system what the path name would be for mine.

It is on the C: drive in "C:\wamp\www\" and all files are in the www (root directory)

Thanks,

Don

bradgrafelman

Indeed, /.htpasswd means look for .htpasswd on the root of the drive in Unix.

You should use a full path to the .htpasswd file, i.e. "c:/wamp/www/.htpasswd"

dmacman1962

I resolved this.

Wordpad added .txt to the end and I had to copy .htaccess and .htpasswd files from our IPs server and edit them with my info and save it to my server to get it to work.

How do you save a file (like from word pad) with out a file type in the name.

Note: Windows would not allow me to change the name and not have a file type at the end of the name.

Thanks,

Don

bradgrafelman

I've never felt like messing with Wordpad to try and find the solution to this... mainly because to do all of my PHP/htaccess/etc. editing, I use notepad. Actually, I've replaced the M$ version of notepad.exe that comes with Windows with Notepad2. Notepad2 allows me to simply File -> Save As and use .htaccess as the filename.

If you want to stick with wordpad, however, you can always save the file as my.htaccess (my can be anything) and then open up a M$-DOS prompt (Start -> Run -> CMD {or COMMAND if you don't have Windows XP/2K(?)}), navigate to the directory where the file is located, and typing ren my.htaccess .htaccess . Voila, you now have a .htaccess file on your Windows computer.

dmacman1962

I spoke to fast.

I DID get to ask for the username and password, but not, it will not accept them.

It keeps asking me for the username and password.

I confirmed the spelling of both and used...

http://www.kxs.net/support/htaccess_pw.html

to generate the password and then pasted into my file.

??????

Thanks,

Don

Weedpacket

dmacman1962 wrote:
Note: Windows would not allow me to change the name and not have a file type at the end of the name.

I'm guessing that's because you've still got Microsoft's hand-holding babytalk "let's introduce a security vulnerability" hide-extensions setting turned on. In an explorer window, select "tools"->"Folder Options"->"View", and uncheck "Hide extensions for known file types".

dmacman1962

Hi weedpacket,

Thanks, I had already set that to display the extensions.

My system went down last Wednesday and I had to re-install it 5 times and reset the BIOS to get it to run at all. I forgot to turn that back to view file types.

As far as the .htpasswd file, I am confused. If I set it to don: password it will let me log in.

If I set it to what the .htpasswd generator sites supply after you enter the password (like - don:5XKFQnHolW6cc) they act like the password is incorrect???

Also, I tried the same password on 3 different sites, and for the word
password' here is what they give as encrypted?!

username:don
password: password

1) don:ZarhgKphQ96.g
2) don:4LLEY0pfBlRe.
3) don:cGyUX9QugYMgE

Shouldn't they all give me the same encrypted results for the word 'password' ?

Otherwise, how would apache know what the real password was?

I am missing something here.

Thanks,

Don

PS, how do I mark this un-resolved?

Weedpacket

dmacman1962 wrote:
Shouldn't they all give me the same encrypted results for the word 'password'?

Not if the salt is different in each case (which it probably would be on different servers). I Google's Apache's web site and found http://httpd.apache.org/docs/1.3/howto/auth.html which may provide a bit more guidance.

dmacman1962

Thanks, again, weedpacket.

I will read up on this and get it to work.

I got a question for you, Is there anything you don't know? Seriously!

You are ALWAYS right on the money, which is great, I know I appreciate it!!!

Thanks again,

Don