Protecting admin.php, the /install directory, and test & development installations using .htaccess

[Jake B.]

@Brogan I added the code to my .htaccess for my admincp, but it says internal server error after I log in.

Check the server error log - it should have an entry related to that which may help with identifying the cause.

 

[CarpCharacin]

It says no errors have been logged.

 

[CabCon]

Hello @Brogan,
I used Using IP address based protection instead of passwd on my website and it works perfect <3 Thank you! Now I setup SSL (https) and now it won't work anymore. Everytime I try to access my admin.php it deny the access despite that the correct IP is in the htaccess file. Do you know where this problem is caused?

Regards,
CabCon.

EDIT: fixed

 

[Tattooed Theist]

would it be possible to have it redirect the person to a url of your choice?

 

[vijaichander]

@Brogan How about changing the permission of install folder and index.php?

 

[NHATKYMUA]

is it work on xf2?

 

[Chernabog]

Not bad but i recommend using this one! ( works good )

<Files admin.php>
RewriteEngine On
RewriteBase /
RewriteCond %{REMOTE_HOST} !^120\.0\.0\.1
RewriteCond %{REMOTE_HOST} !^123\.45\.56\.789
RewriteCond %{REQUEST_URI} !/index\.php$
RewriteRule .* /index.php [R=302,L]
</Files>

that way rather then giving the person and error, it just redirects them back to the home page....

please "Like" if you use!

@Martyn I guess the remote_host IPs need to be modified? I am trying to figure out a way to successfully secure my XF2 install and I don't see any add-ons for security unfortunately. When you do this, what @Brogan documented for example with creating a password file...does it then ask you for that secondary password when trying to access ACP or the /install directory?

As I sit here restoring 38K files over top my existing XF Installation because of a sudden wonky ton of healthcheck file issues and unexpected content across the board ..I am just trying to figure out best practices to secure what I can ...as I try to drill down and find out where the vulnerability existed so I can let whomever may benefit from it to know.

 

[Paul B]

does it then ask you for that secondary password when trying to access ACP or the /install directory?

Yes.

You will need to enter the auth password before the ACP page will load.

 

[Chernabog]

I am going to try that also....there's no way that someone can view the passworld file from the outside if they know absolute paths?

 

[alternadiv]

@Brogan is all of this info still up to date to work today with XF2?

Does 2FA in XF2 require you to use 2FA for admin.php on computers you haven't used before?

 

[Paul B]

htacces auth is independent of XF version and unrelated to 2FA.

 

[spyralout]

Is this suggested for live forum installs, and if so, which directories so it doesn't impede on regular forum traffic and the user experience? I would likely duplicate it for the test environment that is being set up by my hosting company.

 

[Paul B]

Yes, it's for production sites.

For test/dev installations, you can do it at the root so it covers the entire site.

 

[spyralout]

For production sites, are there recommended directories?

 

[Paul B]

That's what this guide is.

 

[Old Nick]

Hello i have no cPanel on my host so it is ok to use .htpasswd to access my ACP ?
I tried but i have a ISE 500 after

this is my .htaccess

AuthName "ACP XenForo"
AuthType Basic
AuthUserFile /lamp0/web/vhosts/cocoriweb.community/htdocs/xyz/.htpasswd
AuthGroupFile /dev/null
<Files admin.php>
require valid-user
</Files>

the .htpasswd

Myname:mypassword

When i reach the admin.php page i have a pop-up asking me login/pwd but after clicking OK button i'v got the Internal Server Error 500

 

[Black Tiger]

Using .htaccess does not have anything to do with having cPanel or not.
However, it might be on some Nginx configurations that certain .htaccess entry's won't work.

In your .htaccess you've something to much.
Remove this line

</Files>

Because I don't see a <Files admin.ph> or something similar in your .htaccess this end line may cause the error 500.
Next to that, when using a .htaccess with a .htpasswd you don't need the Files statement.

As for the .htpasswd you have to create your password with the htpasswd executable or via an online script, it's nust just that you can edit the .htpasswd and enter a password you like in there. It's encrypted.

 

[Paul B]

@nicodak try this:

<Files admin.php>
AuthType Basic
AuthName "ACP XenForo"
AuthUserFile /lamp0/web/vhosts/cocoriweb.community/htdocs/xyz/.htpasswd
AuthGroupFile /dev/null
require valid-user
</Files>

If it still throws a 500 error then check the server error log.

 

[Old Nick]

Because I don't see a <Files admin.ph> or something similar in your .htaccess this end line may cause the error 500.

There is

////
AuthName "ACP XenForo"
AuthType Basic
AuthUserFile /lamp0/web/vhosts/cocoriweb.community/htdocs/xyz/.htpasswd
AuthGroupFile /dev/null
<Files admin.php>
require valid-user
</Files>
////

As for the .htpasswd you have to create your password with the htpasswd executable or via an online script, it's nust just that you can edit the .htpasswd and enter a password you like in there. It's encrypted.

I did it here

dynamicdrive.com

www.tools.dynamicdrive.com

 

[Old Nick]

If it still throws a 500 error then check the server error log.

Same error... Where i can check the server log ?