Folder Protection is being ignored?

Discussion in 'General' started by Spawnsworth, Mar 26, 2019.

  1. Spawnsworth

    Spawnsworth Member

    Hi,
    We have an ISP Config server version 3.1.2 (Apache) and have enabled folder protection on one of the sites. It has been enabled with"/" as the webroot. We have set up the folder protection User and pointed it at the correct site.

    I can see that the .htaccess file for the site has also been updated, so this should indicate that it is working? But it doesn't. It just displays the site instead of prompting you for login credentials. Here is the block that was added to .htaccess....

    ### ISPConfig folder protection begin ###
    AuthType Basic
    AuthName "Members Only"
    AuthUserFile /var/www/clients/client4/web18/web/.htpasswd
    Require valid-user
    ### ISPConfig folder protection end ###

    Any ideas why this wouldn't be working?


    Thanks!
     
  2. Spawnsworth

    Spawnsworth Member

    Sorry have to give this one a bump as it has me absolutely baffled. .htaccess is updated correctly with the Basic Auth block and it is completely ignored. I have no idea why :( Can anyone help?

    Thanks!
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    What else is in the .htaccess file of the site? Maybe it contains rules that override the protection.
     
  4. Spawnsworth

    Spawnsworth Member

    Hi till, thanks for your reply.

    So, you are spot on then. The existing .htaccess has a number of iThemese Security rules in them. I moved that .htaccess out of the way and created a new one with only the basic auth block in it and it works perfectly.

    I tried using the original .htaccess again and moving the basic auth block to the bottom of the file but still no joy. There are multile rewrite conditions etc all set in iThemes, so I guess the issue must be with that rather than the ISP Config bit.

    Here's a bit from the .htaccess file relating to .htaccess. Not sure what to change here if anything?

    # Protect System Files - Security > Settings > System Tweaks > System Files
    <files .htaccess>
    <IfModule mod_authz_core.c>
    Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
    Order allow,deny
    Deny from all
    </IfModule>


    Thanks!

    spawnsworth
     
  5. Jesse Norell

    Jesse Norell Well-Known Member

    That part is simply restricting access to the .htaccess file itself (eg. if someone tried to access the file in their browser), unless there is a typo (eg. missing the closing </files>, which you don't show above) it shouldn't affect the rest of the file contents. If you don't narrow the issue down, you could paste the whole file (in code blocks) and maybe someone could spot the issue.
     
  6. Spawnsworth

    Spawnsworth Member

    Thanks!

    Please see code below. Note I have excluded a host of RewriteCond rules as there were too many characters to allow me to paste it here.

    Cheers,

    -------------------------------------------------------------------------------------

    ### ISPConfig folder protection begin ###
    AuthType Basic
    AuthName "Members Only"
    AuthUserFile /var/www/clients/client4/web18/web/.htpasswd
    require valid-user
    ### ISPConfig folder protection end ###

    # BEGIN iThemes Security - Do not modify or remove this line
    # iThemes Security Config Details: 2
    # Enable HackRepair.com's blacklist feature - Security > Settings > Banned Users > Default Blacklist
    # Start HackRepair.com Blacklist
    RewriteEngine on
    # Start Abuse Agent Blocking
    RewriteCond %{HTTP_USER_AGENT} "^Mozilla.*Indy" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Mozilla.*NEWT" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^$" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Maxthon$" [NC,OR]
    # End Abuse Agent Blocking

    # Start Abuse HTTP Referrer Blocking
    RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?semalt\.com" [NC,OR]
    RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?kambasoft\.com" [NC,OR]
    RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?savetubevideo\.com" [NC]
    # End Abuse HTTP Referrer Blocking
    RewriteRule ^.* - [F,L]
    # End HackRepair.com Blacklist, http://pastebin.com/u/hackrepair

    # Ban Hosts - Security > Settings > Banned Users
    SetEnvIF REMOTE_ADDR "^193\.201\.224\.225$" DenyAccess
    SetEnvIF X-FORWARDED-FOR "^193\.201\.224\.225$" DenyAccess
    SetEnvIF X-CLUSTER-CLIENT-IP "^193\.201\.224\.225$" DenyAccess

    SetEnvIF REMOTE_ADDR "^141\.98\.80\.28$" DenyAccess
    SetEnvIF REMOTE_ADDR "^141\.98\.80\.28$" DenyAccess
    SetEnvIF X-FORWARDED-FOR "^141\.98\.80\.28$" DenyAccess
    SetEnvIF X-CLUSTER-CLIENT-IP "^141\.98\.80\.28$" DenyAccess

    SetEnvIF REMOTE_ADDR "^46\.118\.157\.179$" DenyAccess
    SetEnvIF X-FORWARDED-FOR "^46\.118\.157\.179$" DenyAccess
    SetEnvIF X-CLUSTER-CLIENT-IP "^46\.118\.157\.179$" DenyAccess

    SetEnvIF REMOTE_ADDR "^141\.136\.88\.27$" DenyAccess
    SetEnvIF X-FORWARDED-FOR "^141\.136\.88\.27$" DenyAccess
    SetEnvIF X-CLUSTER-CLIENT-IP "^141\.136\.88\.27$" DenyAccess


    <IfModule mod_authz_core.c>
    <RequireAll>
    Require all granted
    Require not env DenyAccess
    Require not ip 193.201.224.225
    Require not ip 141.98.80.28
    Require not ip 46.118.157.179
    Require not ip 141.136.88.27
    Require not ip 185.211.245.158
    Require not ip 134.209.28.25
    Require not ip 177.53.140.39

    </RequireAll>

    </IfModule>
    <IfModule !mod_authz_core.c>
    Order allow,deny
    Allow from all
    Deny from env=DenyAccess
    Deny from 193.201.224.225
    Deny from 141.98.80.28
    Deny from 46.118.157.179
    Deny from 141.136.88.27
    Deny from 185.211.245.158

    </IfModule>

    # Disable XML-RPC - Security > Settings > WordPress Tweaks > XML-RPC
    <files xmlrpc.php>
    <IfModule mod_authz_core.c>
    Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
    Order allow,deny
    Deny from all
    </IfModule>
    </files>

    <IfModule mod_rewrite.c>
    RewriteEngine On

    # Reduce Comment Spam - Security > Settings > WordPress Tweaks > Comment Spam
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} /wp-comments-post\.php$
    RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
    RewriteCond %{HTTP_REFERER} !^https?://(([^/]+\.)?tibus\.net|jetpack\.wordpress\.com/jetpack-comment)(/|$) [NC]
    RewriteRule ^.* - [F]
    </IfModule>

    # Protect System Files - Security > Settings > System Tweaks > System Files
    <files .htaccess>
    <IfModule mod_authz_core.c>
    Require all allow
    </IfModule>
    <IfModule !mod_authz_core.c>
    Order allow,deny
    Deny from all
    </IfModule>
    </files>
    <files readme.html>
    <IfModule mod_authz_core.c>
    Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
    Order allow,deny
    Deny from all
    </IfModule>
    </files>
    <files readme.txt>
    <IfModule mod_authz_core.c>
    Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
    Order allow,deny
    Deny from all
    </IfModule>
    </files>
    <files wp-config.php>
    <IfModule mod_authz_core.c>
    Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
    Order allow,deny
    Deny from all
    </IfModule>
    </files>

    # Disable Directory Browsing - Security > Settings > System Tweaks > Directory Browsing
    Options -Indexes

    <IfModule mod_rewrite.c>
    RewriteEngine On

    # Protect System Files - Security > Settings > System Tweaks > System Files
    RewriteRule ^wp-admin/install\.php$ - [F]
    RewriteRule ^wp-admin/includes/ - [F]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
    RewriteRule ^wp-includes/theme-compat/ - [F]

    # Disable PHP in Uploads - Security > Settings > System Tweaks > PHP in Uploads
    RewriteRule ^wp\-content/uploads/.*\.(?:php[1-7]?|pht|phtml?|phps)$ - [NC,F]

    # Filter Suspicious Query Strings in the URL - Security > Settings > System Tweaks > Suspicious Query Strings
    RewriteCond %{QUERY_STRING} \.\.\/ [OR]
    RewriteCond %{QUERY_STRING} \.(bash|git|hg|log|svn|swp|cvs) [NC,OR]
    RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
    RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
    RewriteCond %{QUERY_STRING} ftp: [NC,OR]
    RewriteCond %{QUERY_STRING} https?: [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)script(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_decode\( [NC,OR]
    RewriteCond %{QUERY_STRING} %24&x [NC,OR]
    RewriteCond %{QUERY_STRING} 127\.0 [NC,OR]
    RewriteCond %{QUERY_STRING} (globals|encode|localhost|loopback) [NC,OR]
    RewriteCond %{QUERY_STRING} (concat|insert|union|declare) [NC,OR]
    RewriteCond %{QUERY_STRING} %[01][0-9A-F] [NC]
    RewriteCond %{QUERY_STRING} !^loggedout=true
    RewriteCond %{QUERY_STRING} !^action=jetpack-sso
    RewriteCond %{QUERY_STRING} !^action=rp
    RewriteCond %{HTTP_COOKIE} !wordpress_logged_in_
    RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\.com
    RewriteRule ^.* - [F]
    </IfModule>
    # END iThemes Security - Do not modify or remove this line

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>

    # END WordPress
     
  7. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    You forgot the CODE blocks.
     
  8. Jesse Norell

    Jesse Norell Well-Known Member

    This 'Require all granted' is granting access rather than 'require valid-user' requiring login as explained here:
    Try wrapping the whole file contents in RequireAll tags like:
    Code:
    <RequireAll>
    ...current file contents here...
    </RequireAll>
    
    Note you might need to maintain this .htaccess manually, eg. when ithemes overwrites/updates what it puts in there. Maybe it will stay within the current BEGIN/END tags though and you'll be fine, but do test it or you might end up without your password requirement again.
     
  9. Jesse Norell

    Jesse Norell Well-Known Member

    Looks like that was probably temporary testing, you probably want to switch that back to deny.
     
  10. Spawnsworth

    Spawnsworth Member

    This is fantastic thank you!
     

Share This Page