Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I was wondering if protecting a web directory with an .htaccess file (with the .htpasswd file outside the public apache webroot) is a secure way to protect a directory (and its contents).
Could someone explain the Do’s and Don’ts of this kind of protection?
The authentication will be passed unprotected over the net if you use the standard http protocol. This is not regarded as safe, as someone could sniff the password.
If you restrict acces to https it is quite safe. This would mean to install and enable the apache module for ssl encrypted http traffic (port 433, https:// in the adress line of the browser) and disable the standard http traffic for this directory on port 80. Username and Password will be ssl encrypted. Be sure to select a good password (long and complex enough, not possible to guess or brute force).
Apache configuration can be tricky, so take a lot of care to keep it simple and test against possible mistakes.
It can be a good idea to move the access restriction configuration from the .htaccess file to the main apache configuration file if you have knowledge and control of it. Could also be easier for you to keep it in the .htacces file. And “easy” can be safer. Do it the way it feels simple and safe and easy to maintain and remember for you.
This is a simple setup to enhance security and protect against accidents:
If you have php and email configured on the machine where the protected directory is you can write a simple alarm script. Just a php file “alarm.php” with a single line with the php mail function that sends you an e-mail, telling you that htaccess protection does not work.
If your domain and directory path is “http://mybox.example.com/secretdir/alarm.php” you can enter this in a browser on a different machine and you should get that mail as long as htaccess is “opened”. If it is protected you can enter the username and password and you will also get the mail.
To make an automated alarm out of this you could use a different unix box that tries to get this url every 15 minutes or so. The line for the crontab:
*/15 * * * * user1 wget http://mybox.example.com/secretdir/alarm.php
user1 is a user on this machine who is allowed to run wget, and wget must be installed.
You can disable the htaccess protection as a test and should get the mail every 15 minutes.
From my experience it is a common security flaw that a directory that you think is protected looses its protection when you change something and you are not aware, this way you get the email that warns you.