Forum

one of my VirtualHost is a dev website, so I'm not willing to make it public available, so I would like it's be password directory protected.

But after done bellow, & tried muti-time variant with restarting each time hiawatha, I can still access this website directory without need to login

Here is what I've done:

I created a .hiawatha file located at root of the website I want to be password directory protected, this file having content:

root:my-password-here

and here extract of my hiawatha.conf file:

Directory {
       DirectoryID = devbillsecured
       Path = /home/dev-blesta/public_html
       PasswordFile = basic:/home/dev-blesta/public_html/.hiawatha       
}

VirtualHost {
	Hostname = my-website.com, www.my-website.com
	WebsiteRoot = /home/dev-blesta/public_html
	AccessLogfile = /var/log/hiawatha/my-website.com/access.log
	ErrorLogfile = /var/log/hiawatha/my-website.com/error.log
        StartFile = index.php
        UseDirectory =  devbillsecured
        TimeForCGI = 60
        UseFastCGI = PHP5
        CustomHeader = X-Frame-Options: sameorigin
        CustomHeader = Vary: Accept-Encoding
        RandomHeader = 64
        UseToolkit = wordpress
        EnforceFirstHostname = yes
        PreventXSS = yes
        PreventCSRF = yes
        PreventSQLi = yes
}

Hi Guy,
I think you've do it wrong.
Here is what I do and it work for me
Genereate the passoword using the the wigwam tool

wigwam -d root my-password-here

Copy the string displayed on the screen to a file /usr/local/etc/admin.pswd (this can be whatever path you want)
Then create .hiawatha with

.hiawatha
StartFile = index.php
PasswordFile = basic:/usr/local/etc/admin.pswd

You done,
you should be prompted with a password.

Note: Fom my experience .hiawatha doesn require the restart of hiawatha

Hope this help
Fred

Thanks Fred,

I think , I'm now more close to get it working, so the authentication popup come now well,

but issue now is after filling user/password, the popup back again , I can not make to pass it, maybe it's a loop?

here is what I have done:

I removed my above Directory function in my hiawatha config file.

I created the string for the pswd file with "wigwam -d user password" (for digest) or wigwam -b user password (for basic)

and added this in my vitualhost within the hiawatha config file:

UseLocalConfig = yes
---------

here bellow is the only content of the .hiawatha file located at root of the given website:
-------------
PasswordFile = basic:/home/dev-blesta/root.pswd
--------------
or
-------
PasswordFile = digest:/home/dev-blesta/root.pswd
-----------

I ever checked file permission off root.pswd file, it's was 644 and increasing, bu it change nothing

I never mandated to get digest to work... so that went I have example for basic..

Could you post your full config?
Note: you cannot use digest if you ran

wigwam -d root my-password-here

Thanks,

In an other post, Hugo said :

wigwam -d root my-password-here

is for digest as using (-d flag)

and

wigwam -b root my-password-here

is for basic as using (-b flag)

but I tried any combinations, but can still not get it to work, I have the login popup form, but it's always back again after submitting login credential.

Here my config

# Hiawatha main configuration file
#

# VARIABLES
# With 'set', you can declare a variable. Make sure the name of the
# variable doesn't conflict with any of the configuration options.
# The variables are case-sensitive and cannot be redeclared.
#

set LOCALHOST = 127.0.0.0/8

# GENERAL SETTINGS
#
ServerId = www-data
ConnectionsTotal = 1000
ConnectionsPerIP = 65
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log

# BINDING SETTINGS
# A binding is where a client can connect to.
#

Binding {
	Port = 80
}

#Binding {
#	Port = 443
#	TLScertFile = ssl/hiawatha.pem
#	Interface = 127.0.0.1
#	MaxRequestSize = 2048
#	TimeForRequest = 30
#}

# BANNING SETTINGS
# Deny service to clients who misbehave.
#
#BanOnGarbage = 300
#BanOnMaxPerIP = 60
#BanOnMaxReqSize = 300
#KickOnBan = yes
#RebanDuringBan = yes

# COMMON GATEWAY INTERFACE (CGI) SETTINGS
# These settings can be used to run CGI applications.
#
#CGIhandler = /usr/bin/perl:pl
#CGIhandler = /usr/bin/php-cgi:php
#CGIhandler = /usr/bin/python:py
#CGIhandler = /usr/bin/ruby:rb
#CGIhandler = /usr/bin/ssi-cgi:shtml
#CGIextension = cgi
#

FastCGIserver {
	FastCGIid = PHP5
	ConnectTo = /var/run/php5-fpm.sock
	Extension = php
}

# URL TOOLKIT
# This URL toolkit rule was made for the Banshee PHP framework,
# which can be downloaded from http://www.banshee-php.org/
#

UrlToolkit {
    ToolkitID = wordpress
    Match \.(php|phtml|xml|pdt|htaccess|hiawatha) DenyAccess      ## very important to prevent direct wget / download access to files
    RequestURI exists Return
    Match .*\?(.*) Rewrite /index.php?$1
    Match .* Rewrite /index.php
}

# DIRECTORY SETTINGS
# You can specify some settings per directory.
#

# DEFAULT WEBSITE
# It is wise to use your IP address as the hostname of the default website
# and give it a blank webpage. By doing so, automated webscanners won't find
# your possible vulnerable website.
#
Hostname = 127.0.0.1
WebsiteRoot = /var/www/hiawatha
StartFile = index.html
AccessLogfile = /var/log/hiawatha/default/access.log
ErrorLogfile = /var/log/hiawatha/default/error.log

# VIRTUAL HOSTS
# Use a VirtualHost section for each website you want to host.
#

VirtualHost {
	Hostname = my-website.com, www.my-website.com
	WebsiteRoot = /home/my-website/public_html
	AccessLogfile = /var/log/hiawatha/my-website.com/access.log
	ErrorLogfile = /var/log/hiawatha/my-website.com/error.log
        StartFile = index.php
        UseLocalConfig = yes             
        TimeForCGI = 60
        UseFastCGI = PHP5
        CustomHeader = X-Frame-Options: sameorigin
        CustomHeader = Vary: Accept-Encoding
        RandomHeader = 64
        UseToolkit = wordpress
        EnforceFirstHostname = yes
        PreventXSS = yes
        PreventCSRF = yes
        PreventSQLi = yes
}

and in .hiawatha file located at folder : /home/my-website/public_html/ :

PasswordFile = basic:/home/dev-blesta/root.pswd

Move the PasswordFile option from the Directory{} block to the VirtualHost{} block and remove the Directory{} entirely. Since Hiawatha v10.0, the path in a Directory{} block is handled as relative to the WebsiteRoot, not as a full path on the disk of the server.

Thanks Hugo, I did it but can still can not get it to work, you instruction was precise, I even tried different variant, & asloso checked the webserver manual but found theses last slightly missing explain instruction about "group".

Never mind, in place I restricted directory access to my home IP, and checked both way of access 1/ for home or 2/ through proxy to hide ip, and its work fine,

So using that way is fine for me for what I wanted to accomplish.


Hiawatha is fine & flexible, my test is positive.

Before, for my dev platform, had many issue with nginx or apache to work with different php version (PHP5 , PHP7) depending of virtual host and I had internal timeout request, while this worked directly fine with hiawatha!