Hi, We have an ISP Config server version 3.1.2 (Apache) and have enabled folder protection on one of the sites. It has been enabled with"/" as the webroot. We have set up the folder protection User and pointed it at the correct site. I can see that the .htaccess file for the site has also been updated, so this should indicate that it is working? But it doesn't. It just displays the site instead of prompting you for login credentials. Here is the block that was added to .htaccess.... ### ISPConfig folder protection begin ### AuthType Basic AuthName "Members Only" AuthUserFile /var/www/clients/client4/web18/web/.htpasswd Require valid-user ### ISPConfig folder protection end ### Any ideas why this wouldn't be working? Thanks!
Sorry have to give this one a bump as it has me absolutely baffled. .htaccess is updated correctly with the Basic Auth block and it is completely ignored. I have no idea why Can anyone help? Thanks!
What else is in the .htaccess file of the site? Maybe it contains rules that override the protection.
Hi till, thanks for your reply. So, you are spot on then. The existing .htaccess has a number of iThemese Security rules in them. I moved that .htaccess out of the way and created a new one with only the basic auth block in it and it works perfectly. I tried using the original .htaccess again and moving the basic auth block to the bottom of the file but still no joy. There are multile rewrite conditions etc all set in iThemes, so I guess the issue must be with that rather than the ISP Config bit. Here's a bit from the .htaccess file relating to .htaccess. Not sure what to change here if anything? # Protect System Files - Security > Settings > System Tweaks > System Files <files .htaccess> <IfModule mod_authz_core.c> Require all denied </IfModule> <IfModule !mod_authz_core.c> Order allow,deny Deny from all </IfModule> Thanks! spawnsworth
That part is simply restricting access to the .htaccess file itself (eg. if someone tried to access the file in their browser), unless there is a typo (eg. missing the closing </files>, which you don't show above) it shouldn't affect the rest of the file contents. If you don't narrow the issue down, you could paste the whole file (in code blocks) and maybe someone could spot the issue.
Thanks! Please see code below. Note I have excluded a host of RewriteCond rules as there were too many characters to allow me to paste it here. Cheers, ------------------------------------------------------------------------------------- ### ISPConfig folder protection begin ### AuthType Basic AuthName "Members Only" AuthUserFile /var/www/clients/client4/web18/web/.htpasswd require valid-user ### ISPConfig folder protection end ### # BEGIN iThemes Security - Do not modify or remove this line # iThemes Security Config Details: 2 # Enable HackRepair.com's blacklist feature - Security > Settings > Banned Users > Default Blacklist # Start HackRepair.com Blacklist RewriteEngine on # Start Abuse Agent Blocking RewriteCond %{HTTP_USER_AGENT} "^Mozilla.*Indy" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Mozilla.*NEWT" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^$" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Maxthon$" [NC,OR] # End Abuse Agent Blocking # Start Abuse HTTP Referrer Blocking RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?semalt\.com" [NC,OR] RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?kambasoft\.com" [NC,OR] RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?savetubevideo\.com" [NC] # End Abuse HTTP Referrer Blocking RewriteRule ^.* - [F,L] # End HackRepair.com Blacklist, http://pastebin.com/u/hackrepair # Ban Hosts - Security > Settings > Banned Users SetEnvIF REMOTE_ADDR "^193\.201\.224\.225$" DenyAccess SetEnvIF X-FORWARDED-FOR "^193\.201\.224\.225$" DenyAccess SetEnvIF X-CLUSTER-CLIENT-IP "^193\.201\.224\.225$" DenyAccess SetEnvIF REMOTE_ADDR "^141\.98\.80\.28$" DenyAccess SetEnvIF REMOTE_ADDR "^141\.98\.80\.28$" DenyAccess SetEnvIF X-FORWARDED-FOR "^141\.98\.80\.28$" DenyAccess SetEnvIF X-CLUSTER-CLIENT-IP "^141\.98\.80\.28$" DenyAccess SetEnvIF REMOTE_ADDR "^46\.118\.157\.179$" DenyAccess SetEnvIF X-FORWARDED-FOR "^46\.118\.157\.179$" DenyAccess SetEnvIF X-CLUSTER-CLIENT-IP "^46\.118\.157\.179$" DenyAccess SetEnvIF REMOTE_ADDR "^141\.136\.88\.27$" DenyAccess SetEnvIF X-FORWARDED-FOR "^141\.136\.88\.27$" DenyAccess SetEnvIF X-CLUSTER-CLIENT-IP "^141\.136\.88\.27$" DenyAccess <IfModule mod_authz_core.c> <RequireAll> Require all granted Require not env DenyAccess Require not ip 193.201.224.225 Require not ip 141.98.80.28 Require not ip 46.118.157.179 Require not ip 141.136.88.27 Require not ip 185.211.245.158 Require not ip 134.209.28.25 Require not ip 177.53.140.39 </RequireAll> </IfModule> <IfModule !mod_authz_core.c> Order allow,deny Allow from all Deny from env=DenyAccess Deny from 193.201.224.225 Deny from 141.98.80.28 Deny from 46.118.157.179 Deny from 141.136.88.27 Deny from 185.211.245.158 </IfModule> # Disable XML-RPC - Security > Settings > WordPress Tweaks > XML-RPC <files xmlrpc.php> <IfModule mod_authz_core.c> Require all denied </IfModule> <IfModule !mod_authz_core.c> Order allow,deny Deny from all </IfModule> </files> <IfModule mod_rewrite.c> RewriteEngine On # Reduce Comment Spam - Security > Settings > WordPress Tweaks > Comment Spam RewriteCond %{REQUEST_METHOD} POST RewriteCond %{REQUEST_URI} /wp-comments-post\.php$ RewriteCond %{HTTP_USER_AGENT} ^$ [OR] RewriteCond %{HTTP_REFERER} !^https?://(([^/]+\.)?tibus\.net|jetpack\.wordpress\.com/jetpack-comment)(/|$) [NC] RewriteRule ^.* - [F] </IfModule> # Protect System Files - Security > Settings > System Tweaks > System Files <files .htaccess> <IfModule mod_authz_core.c> Require all allow </IfModule> <IfModule !mod_authz_core.c> Order allow,deny Deny from all </IfModule> </files> <files readme.html> <IfModule mod_authz_core.c> Require all denied </IfModule> <IfModule !mod_authz_core.c> Order allow,deny Deny from all </IfModule> </files> <files readme.txt> <IfModule mod_authz_core.c> Require all denied </IfModule> <IfModule !mod_authz_core.c> Order allow,deny Deny from all </IfModule> </files> <files wp-config.php> <IfModule mod_authz_core.c> Require all denied </IfModule> <IfModule !mod_authz_core.c> Order allow,deny Deny from all </IfModule> </files> # Disable Directory Browsing - Security > Settings > System Tweaks > Directory Browsing Options -Indexes <IfModule mod_rewrite.c> RewriteEngine On # Protect System Files - Security > Settings > System Tweaks > System Files RewriteRule ^wp-admin/install\.php$ - [F] RewriteRule ^wp-admin/includes/ - [F] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F] RewriteRule ^wp-includes/theme-compat/ - [F] # Disable PHP in Uploads - Security > Settings > System Tweaks > PHP in Uploads RewriteRule ^wp\-content/uploads/.*\.(?hp[1-7]?|pht|phtml?|phps)$ - [NC,F] # Filter Suspicious Query Strings in the URL - Security > Settings > System Tweaks > Suspicious Query Strings RewriteCond %{QUERY_STRING} \.\.\/ [OR] RewriteCond %{QUERY_STRING} \.(bash|git|hg|log|svn|swp|cvs) [NC,OR] RewriteCond %{QUERY_STRING} etc/passwd [NC,OR] RewriteCond %{QUERY_STRING} boot\.ini [NC,OR] RewriteCond %{QUERY_STRING} ftp: [NC,OR] RewriteCond %{QUERY_STRING} https?: [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)script(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR] RewriteCond %{QUERY_STRING} base64_decode\( [NC,OR] RewriteCond %{QUERY_STRING} %24&x [NC,OR] RewriteCond %{QUERY_STRING} 127\.0 [NC,OR] RewriteCond %{QUERY_STRING} (globals|encode|localhost|loopback) [NC,OR] RewriteCond %{QUERY_STRING} (concat|insert|union|declare) [NC,OR] RewriteCond %{QUERY_STRING} %[01][0-9A-F] [NC] RewriteCond %{QUERY_STRING} !^loggedout=true RewriteCond %{QUERY_STRING} !^action=jetpack-sso RewriteCond %{QUERY_STRING} !^action=rp RewriteCond %{HTTP_COOKIE} !wordpress_logged_in_ RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\.com RewriteRule ^.* - [F] </IfModule> # END iThemes Security - Do not modify or remove this line # BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> # END WordPress
This 'Require all granted' is granting access rather than 'require valid-user' requiring login as explained here: Try wrapping the whole file contents in RequireAll tags like: Code: <RequireAll> ...current file contents here... </RequireAll> Note you might need to maintain this .htaccess manually, eg. when ithemes overwrites/updates what it puts in there. Maybe it will stay within the current BEGIN/END tags though and you'll be fine, but do test it or you might end up without your password requirement again.
