Simplest way to htaccess protecting dirs @xampp for windows

Problems with the Windows version of XAMPP, questions, comments, and anything related.

Simplest way to htaccess protecting dirs @xampp for windows

Postby its me » 17. October 2011 17:28

Hello,
This is for guys who want to understand how protecting directories work in xampp using simplest way!
As I tried many many ways and read a lot, I wanted to share with you a very easy and short way to use .htaccess protecting thing with xampp for window

First, you need to understand the process:
1- Once you request any file in the server, Apache will check for file called .htaccess inside the folder/file you are requesting:
Example: if you request: http://yourdomain/folder1/folder2/filename.html
Apache will check first global httpd.conf file and apply directives, AFTER THAT, it will start checking folder1 then folder2 for ".htaccess" file and if it existed or not
2- You need the file ".htaccess" to be in that folder, or any above folder
Example: if .htaccess file exists in folder1, it will read all information from it, regardless to what is it in httpd.conf (global settings)
- if another .htaccess exists in folder 2 also, it will apply those settings to folder2 ONLY and any folder inside it
3- What is .htaccess?
Simply is a file to tell Apache where your username and password(s) are located!
Example for what is inside .htaccess file:
Code: Select all
AuthType Basic
AuthName "NOT ALLOWED TO ACCESS FROM EVERYBODY"
AuthUserFile C:\\xampp\\security\\folder1passwords.txt
Require valid-user

4- Now, as you can see, it is only to locate where is our password file located, so you need that password file which is called: "folder1passwords.txt"
and best location to store it is somewhere that can't be accessed via web, like c:\xampp\security (thanks Sharley, you are the best :))
- This is how your "folder1passwords.txt" file should appear from insdie:
Code: Select all
user1:$apr1$z00gp/..$H4bYagczvliyfJoau34SP/

NOTE: user1 is the username, and the other part after is the password ENCRYPTED using md5
If you need more than one username and password, add another line to your file "folder1passwords.txt"
- Each line presents new username with its encrypted password
5- You can include any other codes (directives) to your ".htaccess" - but there should be only one ".htaccess" file in each folder!
Example: enable folder indexing:
Code: Select all
Options +Indexes

Example: disable folder indexing:
Code: Select all
Options -Indexes

Remember: these settings are watched globally via httpd.conf, but when adding them in the .htaccess file in each folder it will override those global settings, and apply the new specified settings to this folder and all folders inside it...

Second, Use this for even easier work :)
- To get rid of the dot affront of ".htaccess" file and be able to create new files in windows (windows doesn't allow creating such file name" we are going to change it:

1- Xampp does identify the ".htaccess" file default using "httpd-default.conf" located -by default- in: C:\XAMPP\apache\conf\extra
Open it using notepad (Since we are in stupid windows environment) - locate:
Code: Select all
AccessFileName: .htaccess

- change it to
Code: Select all
AccessFileName: myhtcontrol.txt

- Or any other name ends with txt - to open it directly with notepad (the only nice software in windows :))
- Restart Apache (Important) to apply the new global settings

2- Now, use this easiest tool (tested and worked with xampp) to create our myhtcontrol.txt
http://www.htaccesstools.com/htaccess-authentication/
- First field will display the message to whoever accessing the file from web: example: "this is not allowed"
- Second filed put your password file full path as explained above
- I recommend to make new password file for each protected folder... this will make it easier to delete it later if you want to disable access to that user...

3- Create you password file from the same handy website using the other tool: htpasswd generator
http://www.htaccesstools.com/htpasswd-generator/
- Here it will give you the user and the encrypted password, copy them and paste to your file: "folder1password.txt"
- Done, place your folder1password.txt in the security folder as explained above, and try accessing the folder via http
- It should ask you to insert username and password.

In short, Apache accessing the folder for you, if found the file specified in httpd-default.conf - it will start reading it
- If code containing path to password file was found (myhtcontrol.txt) it will check it and give message to user to enter login info
- Once user put login info, Apache will check the encrypted password file for that information and display what suppose to display if password was ok
- If password was not correct it will return error

Even shorter: Apache > folder containing access file > access file path > checking password file > return error or display content.
Where:
- Access file path is: ".htaccess" or "myhtcontrol.txt" if you changed it via "httpd-default.conf"
- Password file is the one encrypted in your xampp\security as said above

NOTE: Apache does protect everything starting with .ht NOT to be downloaded via http so users do not know where your password file actually is stored on the server... So, if you changed the ".htaccess" file name as explained in this tutorial, you need to add the following code to global http.conf setting file to disallow users from accessing your htaccess file - also you need to check for it by trying to download it from the server.... this is important.. if you could download it, that is not good :(

This is in the main httpd.conf says:
Code: Select all
<FilesMatch "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</FilesMatch>

You will need to add to your global httpd.conf (the mian one, not the default one - usually click on admin in xampp control panel beta 3 and select http.conf
(c:\xampp\apache\conf\httpd.conf)

Add as per your file name, based on above example:
Code: Select all
<FilesMatch "^\myhtcontrol.txt">
    Order allow,deny
    Deny from all
    Satisfy All
</FilesMatch>


NOTE: There are many other other way(s) to add/edit the ".htaccess" files and the password files, this is just what i found it easier and simplest one and I hope it will make it easier for beginners who are looking for such information.

Thanks Sharely, thanks Altrea :)

Good luck
Mike
its me
 
Posts: 61
Joined: 03. October 2011 09:45
Operating System: Windows server 2008 SP1 R2

Re: Simplest way to htaccess protecting dirs @xampp for wind

Postby JonB » 17. October 2011 19:34

@ Mike -

That's an interesting tutorial.

I do have to make a word of caution about one point - the matter or renaming your .htaccess files to something else.
Second, Use this for even easier work


As you pointed out, Apache does allow you to change the AccessFileName with a directive. I'd like to say that is probably a poor practice, for several reasons.

A. If you decide to have a production server, its unlikely you will be able to make that change, so you will need to manage/change two sets of files. (yes you 'can' rename as you upload, but its still a potential problem). A site with a good number of things going on is likely to have a good number of .htaccess files as well. Its a powerful tool, and well loved by developers.

B. Probably more importantly, many many third party scripts are designed to work with .htaccess files for things like context redirection, pretty/friendly URLS, and other 'site optimization' issues. Many of these manipulations are 'scripts' in and of themselves, where you put in the desired 'outcomes' in the Admin CP or Dashboard, and a 'wizard', 'widget' or scriptlet makes the changes for you. WordPress immediately comes to mind.

I only know of one case where I have changed the AccessFileName, and that was to accommodate synchronizing against a server where hosting controls made certain options unworkable. In the end, I found a workaround for that too.

These are only 'my' opinions, and intended for folks to give some thought to the future when making this choice.

Good Luck
8)
User avatar
JonB
AF Moderator
 
Posts: 3210
Joined: 12. April 2010 16:41
Location: Land of the Blazing Sun
Operating System: Windows XP/7 - Fedora 15 1.7.7

Re: Simplest way to htaccess protecting dirs @xampp for wind

Postby its me » 17. October 2011 20:00

Thanks for your reply JonB, appreciated.

Actually I wrote that because when I tried to deal with .htaccess on windows using xampp lately, I had troubles with 2 main things and spent hours to collect those information together, one is the files name starting with dots which this stupid windows doesn't allow to create one, and most of the fresh users do not know that is editable by text editor, second is how to change the password or add new users to the folder access list, the theory and the process was not clear in my mind.. thats why i wanted to show folks here all in information that they might need in one place.... if u google it you will find huge number of people stacked in this and they didn't yet understand the process or why doens't work for them, they just apply shown-steps then give up if works fine without knowing what is going on, or giving up php/mysql in windows assuming directories can't be protected in windows (that was my impression also, I was under impression that .htaccess files work only with linux!) - I needed to understand the mechanism ...then it was easy, and i got happy knowing "the secret" of this .htaccess thing :) and the how both files accumulate each other as i said above

mmmm seems like the driving license, first understand the rules and apply them to get the license, then it is up to you if you wanna break the rules or drive using one hand, moreover, seems like security breach in ur server same like police man catch you driving drunk :)

If someone decides to rename it then he must know how the setup works first.... I think in production servers like linux, they will have their own htaccess editors directly via cpanel right? but in windows you still missing the productivity when using php/mysql in windows as big production server right? perhaps in bigger environment it is much better to get linux or managed server with cpanel and get headache free :)

what you think about this theory I just got on mind now: renaming it will enhance security even much more - cause: .htaccess is globally known for such things, hackers will start looking for it directly, like this they will be looking for different thing... :) :) --- even adding fake .htaccess file instead contain: go away bad boys bad boys!!!! :mrgreen: will make it fun :D

Thanks again
Mike
its me
 
Posts: 61
Joined: 03. October 2011 09:45
Operating System: Windows server 2008 SP1 R2

Re: Simplest way to htaccess protecting dirs @xampp for wind

Postby Altrea » 18. October 2011 04:47

I just can agree. Don't change the default .htaccess name.
.htaccess is a internet wide standard.

Another hint: If you will step into the deep of (web-)server administration, start learning how to use command line tools.
In the command line you are able to save file with or without name and with the extensions you want to.
Apache comes with a command line tool for .htpasswd files too, which is very handy. You can simply create files, add users, etc without issues like wrong charsets, etc

create and change files just with a good text editor (like notepad++). Some of them come with text highlighting for .htaccess and .conf files, which can be very helpful to find errors in that files before they take effect.

just my two cents
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 8293
Joined: 17. August 2009 13:05
XAMPP version: several
Operating System: Windows 10 Pro x64

Re: Simplest way to htaccess protecting dirs @xampp for wind

Postby its me » 18. October 2011 05:02

Good morning Altrea,
did you read the driving license example :)
thanks a lot for your valuable information
cheers guys
its me
 
Posts: 61
Joined: 03. October 2011 09:45
Operating System: Windows server 2008 SP1 R2

Re: Simplest way to htaccess protecting dirs @xampp for wind

Postby Altrea » 18. October 2011 05:05

Good Morning Mike :D

I read everthing here and now i have to relax my eyes from all of that text :lol:

btw:
its me wrote:what you think about this theory I just got on mind now: renaming it will enhance security even much more - cause: .htaccess is globally known for such things, hackers will start looking for it directly, like this they will be looking for different thing... :) :) --- even adding fake .htaccess file instead contain: go away bad boys bad boys!!!! :mrgreen:


I don't agree with that, but interesting theory :D
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 8293
Joined: 17. August 2009 13:05
XAMPP version: several
Operating System: Windows 10 Pro x64

Re: Simplest way to htaccess protecting dirs @xampp for wind

Postby Sharley » 18. October 2011 06:31

A .htaccess file is only a folder by folder mini httpd.conf file and contains nothing more than is in the main httpd.conf file a text file readable by who so ever desires and so does not present any more of a security risk than does the httpd.conf file.

On the other hand the .htpasswd file contains a user/password but again if this file is created correctly, as I outlined in your other topic, then the password is encrypted and so it also does not present a security risk, unlike a plain text password in a readable text file elsewhere in the xampp tree.

So if you need once again to be advised that you should not rename these file for any perceived security reasons then be advised by me also - but simply, the choice is yours to rename what you like complete with the possible resulting issues caused by this will also be yours to resolve, not us here in these forums.

Mike wrote:...one is the files name starting with dots which this stupid windows doesn't allow to create one,
Mike, a computer is only a machine and if you can't control this machine but you allow it do what it wants then you will always have these frustrations.

I don't think you would permit your car to do what it wants would you, for example, like when you turn the steering wheel to go left but the car wants to turns right?

So why allow your computer not to save a .htaccess file when you have clearly told it to?
http://superuser.com/questions/56562/ho ... -windows-7
http://www.htaccesstools.com/htaccess-faq/
http://codeigniter.com/forums/viewthread/188450/#896976

Plus there are many more helpful web sites that can assist you learn how to you control your PC. :)

Best wishes and power to the control freaks :D
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
Operating System: Win 7 Pro 32bit/XP Pro SP3

Re: Simplest way to htaccess protecting dirs @xampp for wind

Postby its me » 18. October 2011 08:40

power to the control freaks indeed :D

many thanks to you guys, you are providing a lost much more than support :)

Sharley, I don't agree with your! you are responsible to solve here even if i renamed it :) (just kidding) I understand the risk and it is all one unattended folder which i want to protect, so not big deal for this server :)

Cheeeers
its me
 
Posts: 61
Joined: 03. October 2011 09:45
Operating System: Windows server 2008 SP1 R2

Re: Simplest way to htaccess protecting dirs @xampp for wind

Postby its me » 18. October 2011 10:00

fine, guys, my htaccess files is working fine, but why is keep asking for password when attempt to open any contined folder?
for example: my .htaccess file is located in folder1

domainname/folder1/folder2/folder3/folder4

when accessing folder1 is ok it asks for password.. then after that when try to access folder 2 again asking for password! is it suppose to get effect all sub folders inside that main protected one?
its me
 
Posts: 61
Joined: 03. October 2011 09:45
Operating System: Windows server 2008 SP1 R2

Re: Simplest way to htaccess protecting dirs @xampp for wind

Postby Sharley » 19. October 2011 05:33

You answered that question in your own tutorial, the first post in this topic.
First, you need to understand the process:
2. blah blah blah
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
Operating System: Win 7 Pro 32bit/XP Pro SP3

Re: Simplest way to htaccess protecting dirs @xampp for wind

Postby its me » 19. October 2011 11:40

Please Sharley! I seem misunderstood this point! it is working fine with htaccess editors over linux hosting.. when you protect a folder, then it will effect all folders inside it, if you accessed folder1 thats it,, then open everything inside that however u like... also worked with me earlier than xampp (normal installation of apache and mysql)- -
But in xampp i faced this lately as i noticed when accessing folder1 then accessing folder2 which is inside it (sub folder), it will re ask me again for the username and password! even in the same session of ie or firefox! i have no reason just that htaccess is not effected in all sub directories??......... to relax, i renamed it back to .htaccess and all goes fine, but is this xampp issue or i have to adjust some settings in httpd.conf?

I know you wouldn't let me like this :) above tutorial really i meant to let guys understand that htaccess is only a leading file to the htpasswrod information which are stored "encrypted" somewhere else.... i was previously under impression that is really complicated mechanism....then with windows can't create ".htaccess" I was thinking it is not working on windows platform!! thats the cause i put above tutorial.... :) I thought could help someone else to understand what I was stacked in :)

I'll wait your help regarding the sub folder inhariting issue @xampp regarding protection via htaccess
thanks a lot in advanced
its me
 
Posts: 61
Joined: 03. October 2011 09:45
Operating System: Windows server 2008 SP1 R2

Re: Simplest way to htaccess protecting dirs @xampp for wind

Postby Sharley » 19. October 2011 12:28

Go to http://localhost/xampp/index.php and then select the Security menu item.

You will see a link to xamppsecurity.php click on this link

Next create a user/pass for
XAMPP DIRECTORY PROTECTION (.htaccess)

Click Make safe the XAMPP directory button.

It will create a .htaccess file in the C:\xampp\htdocs\xampp folder.
You can drag this into your text editor to see how it looks.

It also creates an xampp.users file (really a renamed .htpasswd file) in the C:\xampp\security folder.
Drag this into your text editor to see how it looks.

Use these 2 files as an example for your own authentication files.


Now close all XAMPP windows in your browser, clear the browser cache (Temporary Internet files) so you have to login using the user/pass you just created and then go to these addresses and see how many times you need to go to the user/pass login box.
http://localhost/xampp
http://localhost/xampp/img
http://localhost.xampp/lang
http://localhost/xampp/external
http://localhost/xampp/sqlite

The .htaccess file is the xampp folder is protecting the img folder, the lang folder and the external folder.
The sqlite folder has it's own .htaccess protection which is denying access to all (500 error).

The above is a good example of how this type authentication works - if your own authentication files don't work like this then compare your files with those generated by XAMPP and see if there is a difference.

Let me know how you go doing this or if there is anything you don't understand.
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
Operating System: Win 7 Pro 32bit/XP Pro SP3

Re: Simplest way to htaccess protecting dirs @xampp for wind

Postby Altrea » 20. October 2011 04:51

The browser determined how long you are authentificated for one http session.

If you have to login for all subfolders again, then it is not the same session for the browser (follow Sharleys description) or you get logged out after every request.
Internet Explorer destroys HTTP sessions as soon all browser windows are closed and the Internet Explorer process is closed, Firefow should act like IE, but there are some Addons which can influence this behavior (Web Developer Toolbar for example). In Opera it is/was time related (4 hours or so). So please check your Browser settings too.
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 8293
Joined: 17. August 2009 13:05
XAMPP version: several
Operating System: Windows 10 Pro x64

Re: Simplest way to htaccess protecting dirs @xampp for wind

Postby its me » 20. October 2011 13:50

hmmmmm today i didn't face any problem with that protect folder or sub folders, even i didn't change anything. seems strange, but i will do whatever you said guys.
thanks a log again. appreciated Sharely & Altrea
cheers
its me
 
Posts: 61
Joined: 03. October 2011 09:45
Operating System: Windows server 2008 SP1 R2


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 69 guests