Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

How to protect with .htaccess and .htpasswd


RedHeron

Recommended Posts

After installing osCommerce, securing directories is not done. This is because for osCommerce to work on any server that isn't Apache, the team can't simply drop in a default .htaccess file.

 

You need to create one yourself.

 

The first step to this is to create your password file. Assuming that Apache Server is installed in a directory called "Apache" in the root of the C drive, and that osCommerce is inside of the "catalog" directory which is in the root of the server pages, here's a command that you can execute:

 

cd /Apache/bin

 

This will put you into the directory with all of hte executable files. The next command will create your username called [username] and a password called \[password\]:

 

htpasswd -c C:\Apache\htdocs\catalog\admin\.htpasswd [username] [password]

 

This creates the user file. Not too difficult. The next part is rather difficult, however. You need to create a file called .htaccess in the same directory, but you can't simply create a file that begins with a period in Windows. You have to either do this from the command line or copy an existing .htaccess file.

 

We'll assume the more difficult of the two is the case. First, navigate in Windows to the admin/ directory. That's right, not the command line. Then execute the command on the command line so that your command line is in the same directory as the window. In this case, it will be:

 

cd C:\Apache\htdocs\catalog\admin

 

You should be there now. Next, right-click on any white space (non-file area) in the window and a pop-up menu will come up. Go to "New". Alternately, if you can't get this to work or if it's easier for you, you may use the File menu, select "New", and you'll have the same list of options as the other way.

 

Select "Text Document" from the list (which should be in alphabetical order...), and then you'll have a new file called New Text Document.txt (and don't worry if the .txt isn't there, some settings prevent it from being seen). Rename this to x.txt (or just x if you don't see the .txt) and then go to the command line window.

 

From the command line, you should be in the admin directory. Type the following command:

 

rename x.txt .htaccess

 

This will create a new text file. The next step is pretty easy.

 

If you are using a copied .htaccess file, here is where you want to start paying attention again.

 

Open the .htaccess file in your favorite text editor. Notepad is fine, as is Wordpad (but in Wordpad you're going to want to add an extra return at the end).

 

IMPORTANT: Do not use a word processor, such as MS-Word or Corel WordPerfect. These will add funky little invisible garbage characters onto the end of the file and cause Apache Server to be unable to process them.

 

At the end of the file (or, if you are using a new file, at the beginning... not that it matters, since an empty file ends where it begins), you will want to add the following lines:

 

AuthType Basic
AuthName "Restricted Access"
AuthUserFile "./.htpasswd"
Require valid-user

 

Save, close, and you're done with that! Now let's move on the the final step.

 

The final step involes the Apache configuration file. You won't need the command line for this one. If you type EXIT it will close the window. You will need to go to the following directory, though:

 

C:\Apache\conf\{/FONT]

 

Next, locate the file called httpd.conf in that folder. This file tells the Apache Server how to behave. It comes standard with a configuration file that prohibits the use of .htaccess and so we need to tell it how to modify that behavior. Open the file in a text editor and scroll down until you find this section:

 

<Directory />
   Options FollowSymLinks
   AllowOverride None
</Directory>

 

This should be about a fourth to a third of the way through the document. Change the word None to the word AuthConfig (yes, the capital letters are important), save it, close it, and you now have a secured directory.

 

Simply restart your server, and you should be good to go!

 

Mind you, there is NO SUCH THING as absolute security. Security is relative. Bad security is often worse than no security, so if you don't understand how something works then don't mess with it!

 

This was what I did, and it works great. If you find something else, please feel free to post it.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...