A record .htaccess allows direct access

Forum Moderators: phranque

Message Too Old, No Replies

A record .htaccess allows direct access

how do you limit access to an A record using .htaccess

ilustrate

12:55 am on Jun 9, 2005 (gmt 0)

hello everyone.

I set up an A record to

http://intranet.example.com/
that goes to the directory 'manager'

within the manager folder I have a simple .htaccess file with the following information

AuthUserFile /disk3/home2/web/standard/example/manager/.htpasswd
AuthName "Intranet Secured Login"
AuthType Basic
require valid-user

if I enter www.example.com/manager/ the user/pasword prompt box works fine and my directory is protected.

the problem is that I can access the directory directly by simply entering http://intranet.example.com?how?
it automatically takes me to the manager directory and loads the index.htm file. why does this load if my 'manager' directory contains an .htaccess file and .htpaswd file? It's protected one way but not the other. What should I do? I don't understand.

[edited by: jdMorgan at 1:53 am (utc) on June 9, 2005]
[edit reason] Examplified. [/edit]

jdMorgan

1:47 am on Jun 9, 2005 (gmt 0)

ilustrate,

Welcome to WebmasterWorld!

The first thing to do is to flush your browser cache (Temporary Internet Files in IE) and try it again. If your browser contained a copy of the page loaded with the intranet.example.com/?how URL that you loaded before installing the auth code, then what you see on the screen is the old cached copy. Since no request was sent to your server, your auth code could have no effect.

The unwritten rule of access control code is, "Flush your caches after making any change."

If this doesn't help, then look in httpd.conf and any other config files for some kind of symlink or Alias that is making it look like the URL does not resolve to that subdirectory. This isn't likely, though.

Jim

ilustrate

2:20 am on Jun 9, 2005 (gmt 0)

Thank you very much.

you are absolutely correct. i went back and followed your directions and the directory is definetely protected now. another quick question please. on my other protected directories, and throughout my site my error documents work perfectly.

my root .htaccess file contains...

# Set some options
Options -Indexes

# Customized server error messages:
ErrorDocument 400 /filenf.htm
ErrorDocument 401 /accessdenied.htm
ErrorDocument 403 /indexdenied.htm
ErrorDocument 404 /filenf.htm

and i previously published my .htaccess file in the 'manager' directory. why am i receiving the following message?

Authorization Required
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

Additionally, a 401 Authorization Required error was encountered while trying to use an ErrorDocument to handle the request.

jdMorgan

5:28 am on Jun 9, 2005 (gmt 0)

OK, I'm not sure I fully understand your description of your ErrorDocument set-up. But taking the general approach, custom error documents must not reside in a protected directory, or if they do, provisions must be made so that those error documents are not password-protected. An example would be to examine the requested URL and set a flag with SetEnvIf, then test that flag with Allow from (mod_access) and then use "Satisfy any" (core) so that authorization is bypassed for ErrorDocument URL requests.

As an even simpler example, it's common for people to ban a particular IP address or user-agent from accessing their site. But they forget to make provisions to allow that banned IP or user-agent to access their custom 403 ErrorDocument. In this case, the intruder is denied access, but the 403 error document cannot be served, because it too is denied to that intruder. So, the server generates a canned (default) error message because it specifically detects such situations, and then adds, "Additionally, a 403-Forbidden error was encountered while trying to use an ErrorDocument to handle the request. In other words, a second 403 error was generated while trying to handle the initial 403 Error.

Another common problem comes up when using a script to generate *all* pages on a site. If the script can fail such that it generates an error handled by an ErrorDocument, but that same script is required to work in order to serve that error document, then you're in a catch-22, and the server can get rather wrapped around the axle. I always recommend dirt-simple and "dumb" error-handling for this very reason; Plain-HTML error documents (no SSI, no PHP) ain't pretty, and they ain't "real-cool customized," but you can be sure that they will work. Put more technically, it is important to minimize dependencies so as not to turn single-point failures into multi-point failures.

Access control and error handling are practices where you have to do a lot of "What if"-type thinking... and lots of testing.

Jim

ilustrate

8:00 pm on Jun 18, 2005 (gmt 0)

www.mysite.com has a directory called [personal] with the following:

ErrorDocument 401 /accessdenied.htm
AuthUserFile /disk3/home2/web/standard/mysite/personal/.htpasswd
AuthName "Personal Secured Login"
AuthType Basic
require valid-user

this .htaccess file works fine in the above protected directory because it refers to accessdenied.htm within the unprotected root of my site. Error documents serve without any problems. My site root contains the following:

# Set some options
Options -Indexes

# Customized server error messages:
ErrorDocument 400 /filenf.htm
ErrorDocument 401 /accessdenied.htm
ErrorDocument 403 /indexdenied.htm
ErrorDocument 404 /filenf.htm

What happens when I have an A-record that points directly to a protected directory? How do I serve an error document on a protected directory? This protected directory is essentially a root because the A-record intranet.mysite.com points directly to my [manager] directory which essentially is the root for intranet.mysite.com

what do I do?