Current time: 04-23-2014, 03:09 PM Hello There, Guest! (LoginRegister)

Post Reply 
.htaccess help please
10-25-2007, 08:15 AM
Post: #1
.htaccess help please
I'm a newbie... With DreamHost I've discovered I can go to the "goodies" area of the panel to generate passwd protection for directories. Anyone know how this DreamHost feature handles the htpasswd file? I unerstand it should go above your web site so that visitors can't get to it. Does DreamHost place it there automatically.

Also if someone could give me an example or two on what needs to be entered in the first item... do you just put the name of the directory you want to protect there... or does it require the full path to the directory?

TIA
Find all posts by this user
Quote this message in a reply
10-25-2007, 08:25 AM
Post: #2
.htaccess help please
Quote:Anyone know how this DreamHost feature handles the htpasswd file? I unerstand it should go above your web site so that visitors can't get to it. Does DreamHost place it there automatically.
No, it doesn't. When you use this feature from the control panel, it puts both the .htaccess file and the .htpasswd file in the directory you are protecting.

If you still want to have the control panel build the files for you, you can do so and then move the created .htpasswd file above the web directory and edit the resultant .htaccess file to change the path to that file.

Quote:give me an example or two on what needs to be entered in the first item... do you just put the name of the directory you want to protect there... or does it require the full path to the directory?
Well, you never have to enter the "full" path, as the system prepends the domain name (which actually completes the path to that point), but you should put the directory name "beneath the domain name".

For example, if you want ro protect http://yourdomain.tld/private, then "/private" is what should be in the box.

Of you want to protect http//yourdomain.tld/images/private, then "/images/private" is what you should put in the box.

--rlparker
Find all posts by this user
Quote this message in a reply
10-25-2007, 09:22 AM
Post: #3
.htaccess help please
okay... got it...many thanks
Find all posts by this user
Quote this message in a reply
10-25-2007, 09:31 AM
Post: #4
.htaccess help please
You are welcome, and good luck! Smile

--rlparker
Find all posts by this user
Quote this message in a reply
10-25-2007, 12:58 PM
Post: #5
.htaccess help please
I'd like to know more about where is best to actually place the htpasswd file. I've just let the panel create and place and had no idea that it could be viewed. I've just tried to pull mine up in the browser and it didn't work, but I'd like to here about potential issues!

----------------------------------------------------------------------------------------------
"Whenever you find yourself on the side of the majority, it's time to pause and reflect." - Mark Twain
Find all posts by this user
Quote this message in a reply
10-25-2007, 05:08 PM
Post: #6
.htaccess help please
Common security practice is to place the .htpasswd file in a "non-web accessible location", such as in a directory "above" or "outside" of your web space. This is done to make it even more difficult for someone to obtain it via the web and apply a "cracking" exercise on it to reveal/obtain the enclosed passwords.

In reality, with proper permissions set, it is *still* pretty safe even if served from within your webspace (as you have just seen demonstrated by your attempts to "browse" to it). The potential problem is that a "borken" server, or other script that runs amok *could* create an error condition that *might* result in it being "exposed" (hence the advice to "just keep it off the web altogether)".

You are probably asking, 'If this is the case, then why does DreamHost's panel tool put it there in the first place?" While I can't speak for DreamHost definitively, I suspect it is probably due to ease of operation and management of that function from the control panel. Keeping the .htpasswd file with the .htaccess file that refers to it "together" in a directory makes it easier to manage the beast when different .htaccess/.htpasswd files are used for different directories.

For example, if you set up http://yourdomain.tld/private to be protected this way, and the panel wrote the .htaccess file to /home/user/yourdomain.tld/private and the .htpasswd file to /home/user/ that would work fine until you tried to do the same thing to http://yourdomain.tld/private2 - the .htpasswd for that dir, if written in the same manner, would overwrite the .htpassed file that already exists in /home/user/ (for http://yourdomain.tld/private/).

Sure, there could be more programming implemented to collect a different filename for the .htpasswd file from the user, test for existence/conflicts, trap errors, etc., but the DreamHost panel tool does not do any of that - they just rely upon the *nix permission system to protect the .htpassed file, and put it in the directory it is related to, thereby avoiding the problem.

Of course, there is no rule that says the ".htpasswd" file has to be named ".htpasswd" (unlike the .htaccess file, which needs to stay named that way!). While you can't see them in a browser, you *can* see them via the shell, or via SFTP/FTP, and can inspect and edit them. If you do so, you will see that the .htaccess file defines what file it is using to store the passwords as a text string in the file - and you can change both the path to the file,and the name with any text editor.

Traditionally, the .htaccess file is created with an editor, and the .htpasswd file is managed with a shell tool; the DreamHost panel functionality just makes this easier for non "shell/*nix" savvy users - and the trade off is, at present at least, the default placement of the .htpasswd file in the target directory, and the use of ".htpasswd" as the naming convention.

The advantage to the tool is that you can easily add/delete users and change password from with the panel via a form instead of having to use the "standard" tools - the disadvantage is that using that method, you have less flexibility (none, actually) as to what you name the .htpasswd file, and where it is stored.

As I pointed out, you can of course still use the panel to generate the files (and then edit the .htaccess file as desired and move/rename the .htpasswd file), but once you have gone that far you are well on your way to just doing it all by hand "old school style".

Doing it by hand has a lot of advantages, particularly if you try to add password protection to a directory that already *has* an .htaccess file (the DreamHost panel tool rewrites that, which can break your application) because you can just *add* the appropriate password protection information to the existing .htaccess file.

There are many very good tutorials on the web that explain all this in full and glorious detail, if you are particularly interested - hopefully some of what I've written will either answer you question or pique you interest. Wink

--rlparker
Find all posts by this user
Quote this message in a reply
10-25-2007, 05:24 PM
Post: #7
.htaccess help please
Hi again RL...

While I've always considered myself computer savvy... I must admit that being new to web design I've had a great deal of difficulty trying to wrap my brain around the htaccess and passwd code.

Prior to finding this form, I had read quite a few online articles about how to do all this... and most of them refer to making sure the "full path to the passwd file" is in the htaccess file.

When I look at my directory tree on the DreamHost Esprit FTP server the root directory is just a folder icon with a slash... no directory name or letter is there. Assuming that it's best to put the htpasswd file immediately under the root directory... how then do I write the full path inside the htaccess files?

Thanks for your help
Find all posts by this user
Quote this message in a reply
10-25-2007, 06:37 PM
Post: #8
.htaccess help please
Part of that confusion is the result of what your FTP client reports as "root" vs what is *really* root. People use all kinds of terms here to refer to their machine user's "home" directory - "user root", "main user directory", etc.

What your FTP client reports as "root" ("/") is actually not "root" at all. On DreamHost's setup it is actually "/home/username". What is often referred to as your "web root" (I hate that term, preferring to refer to it as your "top level web accessible directory" for a given domain or your "web base directory") on DreamHost is actually "home/username/domain.tld (or whatever you named the base directory for the domain when you added the domain to the system in the web panel).

By default, DreamHost uses "domain.tld" for this dir name unless you change it.

All that said, the only really useful places "outside" the web accessible part of your user space to put the .htpasswd file(s) is in the /home/username directory (which is above the "web base" dir ("domain.tld"), or in a directory that is a "sibling" to your domain.tld dir(s). If you do this , you can see how you might need to rename the .htpasswd file(s) if you use more than one, or develop some other system for storing them so they don't conflict.

If you don't want a bunch of ."htpasswd" files cluttering up you "user" dir, you can make "sibling" directories under your "user" dir (at the same dir tree level of your domain.tld dirs) and use them, either one for each domain's .htpasswd file(s) or in the way I describe further below. Wink

Finally then, you define the "full path inside the .htaccess files" as whatever path description accurately locates the file.

For instance, if the .htaccess file is is in "domain.come/private" (which is really "/home/user/domain.tld/private") and you want to put the .htpasswd file in the directory that your FTP client just shows as "/" (which is really "/home/username") you would enter:

/home/username/.htpasswd (or whatever you named the file)

The system I use is to put all the .htpasswd files for the various directories I may have protected across my various websites, domains, and subdomains on DreamHost in a special directory (folder) below my username, and then reference them directly with the appropriate path and filename, as in:

/home/username/htpasswords is the dir that holds -
.htpasswdsite1
.htpasswdsite2
.htpasswdsite2_uploads_dir

and then I reference them in whatever .htaccess file they are called from as:

/home/username/htpasswords/.htpasswdsite1
/home/username/htpasswords/.htpasswdsite2
/home/username/htpasswords/.htpasswdsite2_uploads_dir

This give me a lot of flexibility, keeps the ".htpasswd" file inaccessible from the web, and allows me to use descriptive names for the ".htpasswd" files so I don't get them confused.

It's easy enough to get the wrong .htaccess file in the wrong directory if you are managing a bunch of sites, and it's just as easy to confuse a series of identically names .htpasswd files - this system makes it easy for me to tell exactly what .htpasswd file goes with which protected directory.

I don't know if any of that is helpful, or if I only added to the confusion, so please let me know if I've answered your question or only made it worse. Wink

--rlparker
Find all posts by this user
Quote this message in a reply
10-26-2007, 09:11 AM
Post: #9
.htaccess help please
Thanks again RL...

.htaccess is much clearer now... especially the "path" part. I will likely use various parts of the suggestions you've given me. Much appreciated!
Find all posts by this user
Quote this message in a reply
10-26-2007, 09:12 AM
Post: #10
.htaccess help please
You are welcome, and I'm glad you found at least some of that to be useful. Smile

--rlparker
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump: