htaccess - all denied but one file?

Hi,

I secured an admin section by means of htaccess login. The htaccess file is in the very root of the subdomain. So any file requested pops up the login box.

Now I just installed a traffic tracking script that requires my sites to load a .js which is located within the tree that requires a password. So any page I add the tracking code to requires authentication.

How do I 'unblock' this one file?

Thanks!

 

I'm pretty sure you can add the authentication using <Files filename> normal code </Files>, though I'm not 100% sure.

 

Not sure what you mean there.

I currently require all access to be authorized:

AuthUserFile /data/web/_etc.
AuthName "Please Log On With Your Username And Password"
AuthType Basic
require valid-user

Code (markup):

This is in the root of the subdomain.

However, this .js tracking include is in subdomain.domain/dir/dir/dir/code.js

Can I stick another htaccess in subdomain.domain/dir/dir/dir/ that overrides the root htaccess or will the root always override deeper lever htaccess?

 

I don't know how to do this through Apache config (you would need to cancel Require on the lower level and I have never done this), but you could create a symbolic link to your script from a directory above. For example:

/lib/scripts/code.js -> /protected/lib/scripts/code.js
/protected/lib/scripts/code.js

Also, don't put your user list in the web directory or at least protect it somehow (e.g. deny access to this file through RewriteRule).

J.D.

 

The user list is outside the public tree.

So there's no way to exclude this one file from authenticated access? That sucks.

How about excluding certain domains from having to authenticate? Might be a bit of a security hassle but it might open up other work-arounds.

 

I didn't say that - I said that I've never done this and don't know how to. May be somebody who knows Apache better than I do will still be able to help you.

If I understand you correctly, you want to pull the script from another of your domains. I would not do this. I use symbolic links in these cases. It eliminates the duplication of files, but completely separates secure and insecure parts of the website.

J.D.

 

Have any links I can read up on these symbolic links? Never heard of them.

The .js is included as follows in the footer of sites so the 'stats server' logs all requests. Similar to statcounter and all other stats/log services.

<!-- phpmyvisites -->
<script type="text/javascript">
<!--
var phpmyvisitesSite = 1;
var phpmyvisitesURL = "http://www.mysite.com/admin/phpmyvisites/phpmyvisites.php";
//-->
</script>
<script type="text/javascript" src="http://www.mysite.com/admin/phpmyvisites/phpmyvisites.js"></script>
<noscript>
</noscript>
<!-- /phpmyvisites -->

Code (markup):

That's how the hits get recorded. With this I can monitor all my sites from one spot.

Based on htaccess documentation I just read, could this work? (I'm not sure how the order of commands overrides or superceded previous or folloring commands. )

AuthUserFile /users/joe/.htpasswd
AuthGroupFile /dev/null
AuthName "Joe's restricted directory"

<Files ~ "the_file_thats_ok_to_be_accessed_unauthorized_.php">
  AuthName "Joe's super secret files"
  allow all
<Files>

require valid-user

Code (markup):

Wouldn't that say: 1. This file is OK for all but the rest requires a valid user!

 

They are working on the OS level. For example, you could do this:

$ ln -s /lib/scripts/phpmyvisites.js /admin/phpmyvisites/phpmyvisites.js

, which would create a symbolic link /admin/phpmyvisites/phpmyvisites.js to the file /lib/scripts/phpmyvisites.js. In other words, there's only one file to maintain on your hard drive (i.e. edit, etc), but it appears in two directories.

The additional benefit of this is that you won't have to fool around with http/https prefixes - you can use relative paths all over your HTML (e.g. you link would be <script type="text/javascript" src="/admin/phpmyvisites/phpmyvisites.js">).

That's the part I'm not sure about - in order to get to the file located deeper in the directory hierarchy, Apache will have to traverse all directories above it, which may require authentication. Anyway, just thinking aloud, like I said - never tried it

J.D.

 

With my shared hosting package I doubt I can do anything on the OS level.

I nearly have it cracked though with this in the folder where the .js resides:

htaccess:

AuthUserFile /data/web/etc.
AuthName "Please Log On With Your Username And Password"
AuthType Basic

<Files ~ "*.js">
   allow all
<Files>

<Files ~ "*.*">
   require valid-user
<Files>

Code (markup):

This actually does override the .htaccess from the root and yes, I can include the .js without authentication.

Only bug is, it gives me a 500 error if I request any of the other files in this directory.

My reg exp is probably wrong!

EDIT: Scrap that, I was viewing the cached version (or I cocked it up somewhere again).

 

Good to know. Thanks for sharing.

Your regex is wrong, though. Should be (if you want to use regular expressions):

<Files ~ "\.js$">

Or you can just omit ~ and use wildcards

Looks like you just helped yourself

J.D.

 

I only thought I was close because I was reloading a cached page.

Because I typed <file><files> instead of <files></files> I got a load of 500 Internal Server Erros.

The code I have now doesn't work

 

This script you are trying to access, can you move it up the hierarchy? If you can, I would do this and change the reference to point to the new location (i.e. move it out of the protected directory).

PM me if you don't resolve this by the end of the day and I will look into it.

J.D.

 

It's solved for most part and the solution almost pisses me off!

Instead of 'order deny, allow' I had to put 'order allow, deny'.

So this is the working code... Root htaccess blocks all, the actual folder where the file is contains this htaccess file:

AuthUserFile /data/web/_etc.
AuthName "Please Log On With Your Username And Password"
AuthType Basic

<Files thefile.js>
   order allow,deny
   allow from ourdomain1.co.uk
   allow from ourdomain2.co.uk
   allow from ourdomain3.co.uk
   allow from ourdomain4.co.uk
</Files>

Code (markup):

As simple as that.

I say 'solved partly' because I can't directly access the .js myself even though it's on domain1.co.uk but included from a different subdomain of domain1.co.uk it does work.

That's no big issue so I'll let that rest.

Thanks for the support though!