CMS Made Simple Forums

Posted: **Tue Dec 03, 2013 3:21 pm**

Hello,

I am trying to password protect my admin directory. When I protect the directory (using cpanel) instead of prompting me for a username/password, it just gives a 404.

I have tried using cpanel to protect a directory on a different account (but on the same server) and it works as expected.

If I remove the main .htaccess file within the root of the CMSMS installation, the password protection works properly.

So it looks like the main .htaccess within the root of CMSMS is overriding the .htaccess which cpanel creates within the protected directory and this messes up the password protection.

So, I would like to try and change the main CMSMS .htaccess so that all works properly, but I'm not much of a .htaccess kind of person.

Does anyone know what changes I could make to this .htaccess to solve this problem?

Any help is much appreciated.

My .htaccess is here:

Code: Select all

# Attempt to override some php settings, these settings may be helpful on some hosts if your
# default configuration does not meet CMS's minimum requirements, and your host
# has given your account appropriate permissions
#php_value upload_max_filesize "10M"
#php_value session_save_path "tmp/cache"

#php_flag magic_quotes_gpc Off
#php_flag register_globals Off
#php_flag session.use_trans_sid Off

# This is important, so uncomment if your host permit
Options -Indexes
ServerSignature Off
#php_value session.cookie_httponly true

#Options +FollowSymLinks

# To prevent E_STRICT problems with PHP 5.3+ you can uncomment the following lines
# Note: These settings should only be enabled for production sites!
#php_flag display_startup_errors 0
#php_flag display_errors 0
#php_flag html_errors 0
#php_value docref_root 0
#php_value docref_ext 0

<IfModule mod_rewrite.c>
RewriteEngine on
#
#Sub-dir e.g: /cmsms
RewriteBase /

# 301 Redirect all requests that don't contain a dot or trailing slash to
# include a trailing slash
# but ignore POST requests.
#RewriteCond %{REQUEST_URI} !/$
#RewriteCond %{REQUEST_URI} !\.
#RewriteCond %{REQUEST_METHOD} !POST$
#RewriteRule ^(.*) %{REQUEST_URI}/ [R=301,L]

# Rewrites urls in the form of /parent/child/
# but only rewrites if the requested URL is not a file or directory
#
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ index.php?page=$1 [QSA]
</IfModule>

<IfModule mod_headers.c>
# Disable ETags
Header unset ETag
FileEtag None
# For Security
Header set X-Frame-Options "SAMEORIGIN"
</IfModule>

<IfModule mod_deflate.c>
# Compress css, plaintext, xml, gif, and images in transport.
AddOutputFilterByType DEFLATE text/css text/plain text/xml image/gif image/jpeg image/png
</IfModule>

<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 month"
# Set expires tags on various file types... so that the browser wont attempt to reload them.
ExpiresByType image/jpg "access plus 1 year"
ExpiresByType image/gif "access plus 1 year"
ExpiresByType image/gif "access plus 1 year"
ExpiresByType image/ico "access plus 1 year"
ExpiresByType image/png "access plus 1 year"
ExpiresByType video/x-flv "access plus 1 year"
ExpiresByType application/pdf "access plus 1 year"
ExpiresByType application/x-shockwave-flash "access plus 1 year"
ExpiresByType application/javascript "access plus 1 month"
ExpiresByType text/javascript "access plus 1 month"
ExpiresByType text/css "access plug 1 month"
<IfModule mod_headers.c>
  # Setting cache control to public allows proxy servers to cache the items too.
  Header set Cache-Control "public"
</IfModule>
</IfModule>

Posted: **Tue Dec 03, 2013 3:48 pm**

To secure your admin-section and your cmsms, please read http://docs.cmsmadesimple.org/general-i ... ring-cmsms

Posted: **Tue Dec 03, 2013 4:15 pm**

Thanks for the reply.

So are you saying that password protection isn't recommended for the admin folder?

(I already renamed the admin folder, but I would also really like to password protect the folder for added protection).

Posted: **Tue Dec 03, 2013 4:31 pm**

I wouldn't recommend it. In case of an upgrade you have to remove the password-protection.

Posted: **Tue Dec 03, 2013 7:44 pm**

Ok thanks for your recommendation. That doesn't really seem like a good enough reason for not being as secure as possible. It's easy enough to remove the password protection and add it again after any upgrades.

I'm still interested to hear if anyone has a workaround for this.

Thanks

Posted: **Tue Dec 03, 2013 8:29 pm**

staartmees wrote:I wouldn't recommend it. In case of an upgrade you have to remove the password-protection.

Why is that?

@TS: what do the access.log and error.log tell you?

Posted: **Wed Dec 04, 2013 9:41 am**

Hi Velden,

I checked the error and access logs.

There is no entry in the error log - presumably because CMSMS is serving that 404 page rather than apache.

The access log says 404.

I have another server with the exact same website and the password protection there works - same .htaccess files, same everything.

I'm wondering if there is a difference in the setup of Apache between the two servers that means they treat the Rewrite conditions and rules differently.

Posted: **Wed Dec 04, 2013 10:19 am**

We had a similar problem a while back which was caused by not having a 401 error document ... I forget exactly what the issue was but it was something to do with the htaccess forcing a 401 (authorisation required) request back to the client which then gets rewritten by the rewrite rules and you end up with a 404.... or something.

Anyway - we solved it just by dropping a file called 401.html into the server root (we also added ones for 403.html 403.shtml and 404.html just to be sure). That meant we weren't getting the 404 error and the password protection proceeded as it should.

It's possible that the other server you have that works has a 401 error document specified already... or of course it might be something completely different, but this worked for us.

s.

Posted: **Thu Dec 05, 2013 10:10 am**

Thanks for that. I tried adding 401.html. 403.html, 404.html files but that didnt seem to do it.

I also checked some other sites of mine and it seems to be a problem just with cpanel. I have other sites where the servers are running PLESK and Webmin and I don't have this problem on those.

I checked on the cpanel forums and Wordpress developers have had similar problems which the cpanel support staff just palmed off as wordpress problems.

Posted: **Mon Dec 09, 2013 6:32 pm**

I managed to find a solution which was similar to yours scooper.

After cPanel created the .htaccess file within the admin directory, I edited the file to add the following line to the top of the file:

Code: Select all

ErrorDocument 401 default

That's it! Works fine now.

Posted: **Mon Sep 29, 2014 12:19 am**

i had the same problem. the fix in my case: adding a file to root named

Code: Select all

401.shtml

CMS Made Simple Forums

[SOLVED] Password protected directory gives 404

[SOLVED] Password protected directory gives 404

Re: Password protected directory gives 404

Re: Password protected directory gives 404

Re: Password protected directory gives 404

Re: Password protected directory gives 404

Re: Password protected directory gives 404

Re: Password protected directory gives 404

Re: Password protected directory gives 404

Re: Password protected directory gives 404

Re: [SOLVED] Password protected directory gives 404

Re: [SOLVED] Password protected directory gives 404