Protecting admin.php, the /install directory, and test & development installations using .htaccess

[Old Nick]

OK this is the last entry
[Mon Feb 01 16:24:26.898792 2021] [authn_file:error] [pid 105270:tid 139733648557824] (2)No such file or directory: [client 41.214.91.37:51466] AH01620: Could not open password file: /lamp0/web/vhosts/cocoriweb.community/htdocs/pwd/.htpasswd
Why server can't open the password file ? The path seems to be good

 

[Paul B]

If the file is physically present in the file system, then it could be a permissions issue, SELinux, or something else server side.

 

[Black Tiger]

The path seems to be good

Is it? So you only used xyz to mask then?

AuthUserFile /lamp0/web/vhosts/cocoriweb.community/htdocs/xyz/.htpasswd

Try without the files and unneeded statements, like this:

AuthUserFile /lamp0/web/vhosts/cocoriweb.community/htdocs/pwd/.htpasswd
AuthName "ACP XenForo"
AuthType Basic

require valid-user

So just this, nothing more.

Next to that, I see you run a lamp server. Is that a Windows server? Windows does not do .htaccess.
Apache does, in that case you could check your apache2.conf file.

I don't know which config you have, I only use Linux dedi's and vps servers.

Check for a file, maybe like apache2.conf or /etc/apache2/sites-available/000-default.conf or something like that.
If it contains an Allowoverride statement like "AllowOverride None".
If it's none, change to All, restart apache and see if it helps.

Lie Brogan said, could also be permission or Selinux issue, hard to say from here.

 

[Old Nick]

Is it? So you only used xyz to mask then?

Finally i read my host doc and i have to put the file here /lamp0/web/vhosts/cocoriweb.community/.htpasswd
But i've got the same error...

Apache does, in that case you could check your apache2.conf file.

It's Apache

Server Settings

Server Version: Apache/2.4.43 (Unix)
Server Built: May 28 2020 14:30:24
Server loaded APR Version: 1.5.2
Compiled with APR Version: 1.5.2
Server loaded APU Version: 1.5.4
Compiled with APU Version: 1.5.4
Module Magic Number: 20120211:92
Hostname/port: 3725721.admin.sd5.gpaas.net:443
Timeouts: connection: 300    keep-alive: 5
MPM Name: event
MPM Information: Max Daemons: 2 Threaded: yes Forked: yes
Server Architecture: 64-bit
Server Root: /srv/data/.config/apache
Config File: /srv/data/.config/apache/modules/common/alias.conf
Server Built With:
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D HTTPD_ROOT="/opt/apache2-2.4.43-202005281629/"
-D SUEXEC_BIN="/opt/apache2-2.4.43-202005281629//bin/suexec"
-D DEFAULT_PIDLOG="var/run/apache2/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="etc/apache2/mime.types"
-D SERVER_CONFIG_FILE="etc/apache2/apache2.conf"

But i can't see apache2 folder in etc/
Maybe because i'm on shared hosting ?

 

[Black Tiger]

You might best ask your host in this case.
What is he using, can it be a mod_security issue, an allowoverride limitation or due to nginx configuration.
Hard to say. And to be fair, as said I never used lamp.

 

[Old Nick]

Thanks for your help @Black Tiger i will see with my host

 

[Lucandi]

This is something very good but I have a question about IP. IP address changes all the time, if I do not use the internet my old IP will go to someone else and I will get someone else's IP when I am out on the internet again. Or is it me who's wrong?

 

[Paul B]

If you don't have a static IP address, don't use IP address protection.

 

[Rebug]

Please assist me guys...

I've followed all the steps and everything works except when the prompt pops up on mydomain/admin.php and i type in my password found in psswds and the username as ACP nothing works it just tell me to login again? Have i missed something. I believe i must do something wrong when it comes to the password or username

 

[Paul B]

If you enter incorrect log in credentials then you would get a 401 unauthorised error.

If the page is just reloading that sounds like something else.

I have just checked the site listed against your license and I don't get the auth prompt.

 

[Rebug]

If you enter incorrect log in credentials then you would get a 401 unauthorised error.

If the page is just reloading that sounds like something else.

I have just checked the site listed against your license and I don't get the auth prompt.

I removed since it didn't work do you want me to add it back?

 

[Paul B]

I note that you have cPanel so it should be fairly straightforward to implement using the Directory Privacy app.

Contact your host if it still doesn't work using that.

 

[Rebug]

I note that you have cPanel so it should be fairly straightforward to implement using the Directory Privacy app.

Contact your host if it still doesn't work using that.

I did but they don't understand the issue. Is there any other solution, perhaps you could help me using teamviewer? Really want this to work I've done everything but as you said when I attempt to login it just refresh... where is the pswdss folder suppose to be? in public_html where xenforo is installed? Please help.

The only thing that works is using the IP method. guess that's more secure anyway. i´ll be using that.

 

[billmatic]

I used the .htaccess snippet in the first post and it works like a charm, however I noticed if I attempt to access admin.php from my mobile device I get a 404. Mobile access works fine when commenting out the block. Any idea why it would behave differently on mobile than it does on desktop? Is it just a matter of mobile not supporting basic auth?

 

[Paul B]

It's device independent.

A 404 is a not found error so confirm the URL your mobile is trying to load.

If it is the actual admin.php URL then you likely need to speak to your host to investigate.

 

[sainthedev]

Hey Guys,
So I have installed xenforo latest version
So I had htaccess.txt I renamed it to .htacess
However I modified it as shown in the instructions in this thread and it is still not working?
I am using digital ocean to host my droplet?
Thank you.

 

[Paul B]

Brogan updated Protecting admin.php, the install directory, and test & development installations using .htaccess with a new update entry:

Now with added test and development installation goodness

Updated the main resource with a section on protecting test and development installations.

Read the rest of this update entry...

 

[Wildcat Media]

This is a little off-topic but related to htaccess server passwords.

Is there any utility out there (need not be XF-related) that lets users change their own passwords? We keep the test forum behind an htaccess password and invariably, someone forgets theirs. I end up having to go generate a new password on the command line. I do this because all staff has access to the test forum (and in admin.php soon as well), but when someone leaves the staff, we remove their htaccess login info.

Years ago there was a PHP script that let users modify passwords, yet they could edit anyone's password, not just their own...and that, too, had to be protected behind the same login password they were looking to change. I didn't know if there was some sort of "self-service" script out there where staff could reset their own passwords if they forgot them.

 

[sross]

Is this really necessary if you have a strong password and 2fa?

 

[olgert zerbaska]

Is this really necessary if you have a strong password and 2fa?

Yes, if they don't add this password you wont accept any kind of attack at admin
They can't even see the admin login page if they don't know the code of .htpasswd