Rapidweaver resource location after publishing not password protected

Hi,

I cant see I am very experienced with rapidweaver so here is my question.
On my website I have a members section which is ‘behind’ Joe Workman’s safe page and this is hence password protected. However all resources which are also in this password protected part of my site are just published in the main resource folder on my ftp server and these can be found by anyone by just typing my website/resources/filename. Hence these resources are not password protected.
Can anyone advise how I can protect these resources from being publicly available?

Regards,
Eelco

Hello Eelco,
Is their a specific file (or file type) that you’re trying to protect within your resource folder?

Pdf, xlsx, pptx typically. Quite a few of them.

Got it. Makes sense. I’ve never specifically done this though several ideas come to mind. I suspect there is a more direct/easy method directly within rapidweaver…hopefully others will share so we both may learn. That said. One solution would be to password protect your actual files and simply share that password with your users on your protected page. One could also use a third party service such as google drive, or drop box etc. then use those links in your RW page. You could also create a new directory on your web server (and protect it…I believe there are several ways to do this htaccess among others) and once again use those links for your files. I suspect there are several stack based approaches (and cms platforms…like joe workman’s total cms) that would also offer the desired results. I’m interested to hear from others.

One other suggestion, since using joe’s page safe is to post this question over at Weaver’s space (tag @joe Workman) community for their suggested best practice.

Perhaps I’m oversimplifying this but couldn’t you just drop a blank index.html file into the published resources folder on your server? That way entering example.com/resources would show that index.html file and not a directory of the folder?

Adam good suggestion however I think the issue would still exist if an “unauthorized” user typed in a specific file name they would have access. For instance: http://example.com/resources/examplefile.pdf

I get that but wonder, without a directory list, what are the chances of someone stumbling on the correct file name?

True they could inspect the element once loaded in a page but what is really the downside to them having direct access to a file they’re already seeing in a browser?

Adam all valid points/questions. I don’t have those answers for the posters needs.

It depends on how sensitive the data is that you are trying to hide.

Very sensitive data shouldn’t be stored on a front end web server. Things like Bank account data, SSN, even personal identity data should be handled with much care. Usually, Organizations that keep that kind of information should store the data on at minium a “middleware” server that is behind firewalls and can only be accessed through authorized processes (PHP, ASP, etc.) running on the webserver.

That is very true, but the individual would need to have the full URL, including the filename. Pagesafe isn’t designed to Protect assets but to protect web pages from being viewed. Also, you should consider search engines indexing these assets.

If your site is showing a directory listing, you have a much bigger security issue going on. A good web hosting companies should have that turned off by default. It’s a simple Directive in both Apache and Ngnix.

Since most sites are using Apache and Nginx usually doesn’t allow local directives like htAccess, if the host doesn’t already have the index listing disabled than add this to your htaccess file:

# Disable directory browsing 
Options -Indexes

Now, if you add this line and someone tries to get a directory index listing to browse (https://example.com/resources/), they’ll get 403 Forbidden message.

Turning off indexes should be set for every website out there!

If the data isn’t that sensitive, you could simply add the lines above to htaccess and then create a directory inside resources and give it a “hard to guess” name like r2b24c1nlx0j35xy2hh rename the resource file to another hard to guess name like l6dbn7918ekcorxvyx4.pdf. Then someone would have to know the URL:
https://example.com/resources/r2b24c1nlx0j35xy2hh/l6dbn7918ekcorxvyx4.pdf.

Not likely, and they wouldn’t be able to browse the directory.

There is another product for membership sites called SiteLok. It integrates well with RW and has the option to protect assets.

You can protect files and websites with .htaccess and .htpasswd files. It will protect anything in a directory, but it’s difficult to manage. More can be found here if you want to try that.

Now, as far as search engines, if you use Sitelok or the htaccess method, anything that is protected won’t get indexed.

If you keep the resources in the resources folde,r there is a chance that they might get indexed. So you might want to add a robots.txt file to request search engines not to index the sub-directory.

You can search on this for examples :
robots.txt disallow directory

4 Likes

Nice tip Teefers! Thanks. Should probably have known that .htaccess trick all along. Learn something new everyday!

Many thanks for your help so far, much appreciated. I have managed to reorganis my resource folder and locate the resources I want protected in subfolders. In these subfolders I have added the htaccess file. Separately within one fo these subfolders I have created a htpasswd file with my “username:encryptedpassword” (with a htpasswd generator)
htaccess:
AuthName “Login”
AuthUserFile /public_html/resources/Planning/htpasswd/.htpasswd
AuthGroupFile /dev/null
AuthType Basic

Require valid-user

However after filling in my username and password I now get the following error:

" Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

Apache/2 Server at www.yourdomain.nl Port 80"

I have no idea where this comes from. Any thoughts / tips?

Kind regards,
Eelco

Using htaccess to restrict access can be a bit tricky.

Are you attempting to just restrict access to the resources with htaccess or a webpage?

I’ve never tried to use it for just a link, not saying it can’t be done but I’ve never tried.

Usually, I would restrict a webpage, then on that page have the links to the download files. These files would be inside a directory that is a sub-directory of the restricted page.

The way htaccess restricts access is at the directory level, so anything that’s a sub-directory would prompt for the password unless you already have logged in. Htaccess logins stay active until the browsers closed.

Now to debug things like 500 errors you’ll probably need to find the Apache error logs on the server. There location can vary by host.

i used htaccess to restrict access to data (folders with data) in my resource folder. Before I addedd the htaccess file I did not get any of these error 500 messages. Hence I wonder why this now all of a sudden happens.
So what happens now is that when I click the link from my website i get triggered to fill complete the username and password, which I fill in and then I get the error message. In addition I cannot go back/refresh. Whenever I try a different link it does not trigger me to redo the login either. Only after I clear my cache.

The htaccess/htpasswd is designed to keep you logged in until the browser is closed (or you clear the cache). You can come back days later and if the browser hasn’t closed you will still be logged in.

When you hit the other links do you get the 500 errors or does it work?

Yeah, it’s an Apache generic error message. When you change htaccess, you are changing the configuration of Apache. It (htaccess file) is technically called a local directives file and can reconfigure the webserver for that directory.

The only way I know to ”debug.” is the Apache log files.

As I said before, I never tried it the way you are doing it. I’ve always had a page that the user ” logged in” to and then had the links to a sub-page of that directory.

Ok, thanks. Think I am doing this the wrong way trying to fix something in an ugly way and not being proficient with this doesn’t help. As an alternative I should probably be looking at something like Sitelok which I will investigate if it indeed fits my needs.

2 Likes

Think you might be much happier with sitelok. Adrian from @vibralogix Is always helpful.

Sitelok is a separate PHP product that integrates easily with RapidWeaver,

Here’s a link to a video tutorial on RapidWeaver membership setup:

And a manual for setup of sitelok with RW

It’s pretty straight forward, if it looks to complicated (it’s not) Joe Workman has a set of stacks for Setting up Sitelok, but you probably won’t need them.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.