Securing installation via .htpasswd

Hi All,

I have been investigating the possibility of securing my Invoiceplane installation with apache authentication, however have been struggling as I don’t quite fully understand how the publishing of the website structure is managed. Although I have been administrating Apache installations for 5-6 years, at times I still consider myself an amature.

The reasoning behind the enhanced security is that I wouldn’t want to allow the slightest possibility of a competitor having access to my Customer and Billing data. If I am able to utilise Apache auth I can further enhance the security again by whitelisting IP addresses and/or using something like fail2ban.

This is the snippet of text from the default .htaccess file that I’m struggling to fully interpret:-

RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

I’ve checked over the mod_rewrite documentation and can see that the “not”-f expression is a reference to a file and “not”-d expression is a reference to a directory:-

http://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewritecond

The bit I’m quite stuck with is the [L] part and the effect that has on the URL request. The utlimate objective is to secure all directories apart from “/guest” as I would still like my customers to be able to utilise the online quote and invoicing features.

Current Apache documentation suggests that utilising a virtualhosts “.conf” file is better for performance and security then using a “.htaccess” file. I would like to go down that route if at all possible.

http://httpd.apache.org/docs/current/sections.html#file-and-web

I’ve various common “Location” and “Directory” directives, employing the usual tactics, but don’t seem to experience the behaviour I expect.

If anyone can provide support or guidance on this matter it would be very much appreciated.

Many Thanks,
Futurian

It seems there isn’t an easy answer to this, however I have got this working by adding the following to the .htaccess file:

    SetEnvIf Request_URI "^/guest/view/invoice/.*$" GUEST
    SetEnvIf Request_URI "^/index.php/guest/view/invoice.*$" GUEST
    
    SetEnvIf Request_URI "^/guest/view/generate_invoice_pdf/.*$" GUEST
    SetEnvIf Request_URI "^/index.php/guest/view/generate_invoice_pdf/.*$" GUEST
    
    SetEnvIf Request_URI "^/guest/payment_handler/make_payment/.*$" GUEST
    SetEnvIf Request_URI "^/index.php/guest/payment_handler/make_payment/.*$" GUEST
    
    SetEnvIf Request_URI "^/uploads.*$" GUEST
    SetEnvIf Request_URI "^/assets.*$" GUEST
 
    # https://stackoverflow.com/a/10128290
    SetEnvIf REDIRECT_GUEST (.+) GUEST=$1
 
    AuthType Basic
    AuthName "Admins Only"
    # Edit the following line to the location of your htpasswd file 
    AuthUserFile /var/www/.htpasswd
    Require valid-user
    Satisfy    any
    Order      deny,allow
    Deny from  all
    Allow from env=GUEST
1 Like

Thought I’d bump this to the top of the forum in light of the recent security issue – anyone who did set up their .htaccess file as suggested above wouldn’t have been exposed to the vulnerability.

Note that if you use the above with a redirect in a .htaccess file from HTTP to HTTPS, for example:

# https://wiki.apache.org/httpd/RewriteHTTPToHTTPS
<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTPS} !=on
  RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
</IfModule>

And also require SSL and add a HSTS header and set your 403 error document to also use HTTPS:

SSLRequireSSL
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
ErrorDocument 403 https://www.example.org/

There is still an issue with a request from a browser that hasn’t visited the site before getting a HTTP Authentication prompt via HTTP and not HTTPS, I haven’t yet worked out a solution to this at a .htaccess level, it is easy to solve at an Apache config file level – simply redirect all HTTP requests to the HTTPS VirtualHost.

If you have a favicon.ico file you well need to add an additional rule for that to prevent browsers that automatically request it from getting HTTP Authentication prompts when viewing invoices, for example:

SetEnvIf Request_URI "^/favicon\.ico$" GUEST      
SetEnvIf Request_URI "^/favicon\.png$" GUEST      

You might also want to do the same if you have a robots.txt file:

SetEnvIf Request_URI "^/robots\.txt$" GUEST

I can’t edit the first post in this thread from me (there must be a time limit on how long posts are editable?), so I’ll have to post this here…

There are two missing rules above, without which PayPal won’t work:

SetEnvIf Request_URI "^/guest/payment_handler/payment_return/.*$" GUEST
SetEnvIf Request_URI "^/index.php/payment_handler/payment_return/.*$" GUEST

Note if you use the above .htaccess rules you will need to pass the username and password for cron, for example:

00 09 * * * wget -q --user="USERNAME" --password="PASSWORD" "https://invoiceplane.example.org//invoices/cron/recur/uas3EeH7po4u" -O /dev/null

Here is an updated set of rules for a .htaccess file to add HTTP Authentication as an additional layer of security to an InvoicePlane install, guests don’t need to login using HTTP Authentication but admins do:

# HTTP Authentication for everybody apart from guests
# https://community.invoiceplane.com/t/topic/2675/
SetEnvIf Request_URI "^/index.php/guest/view/invoice.*$" GUEST
SetEnvIf Request_URI "^/guest/view/invoice/.*$" GUEST
SetEnvIf Request_URI "^/guest/view/generate_invoice_pdf/.*$" GUEST
SetEnvIf Request_URI "^/index.php/guest/view/generate_invoice_pdf/.*$" GUEST
SetEnvIf Request_URI "^/guest/payment_handler/make_payment/.*$" GUEST
SetEnvIf Request_URI "^/index.php/guest/payment_handler/make_payment/.*$" GUEST
SetEnvIf Request_URI "^/guest/payment_handler/payment_return/.*$" GUEST
SetEnvIf Request_URI "^/index.php/payment_handler/payment_return/.*$" GUEST
SetEnvIf Request_URI "^/guest/payment_information/form/.*$" GUEST
SetEnvIf Request_URI "^/index.php/guest/payment_information/form/.*$" GUEST
SetEnvIf Request_URI "^/guest/payment_handler/payment_cancel/.*$" GUEST
SetEnvIf Request_URI "^/index.php/guest/payment_handler/payment_cancel/.*$" GUEST
SetEnvIf Request_URI "^/uploads.*$" GUEST
SetEnvIf Request_URI "^/assets.*$" GUEST
SetEnvIf Request_URI "^/favicon\.ico$" GUEST
SetEnvIf Request_URI "^/favicon\.png$" GUEST
SetEnvIf Request_URI "^/robots\.txt$" GUEST

# https://stackoverflow.com/a/10128290
SetEnvIf REDIRECT_GUEST (.+) GUEST=$1

AuthType     Basic
AuthName     "Administration Access Only"
AuthUserFile /path/to/somewhere/outside/the/apache/document/root/.htpasswd
Require      valid-user
Satisfy      any
Order        deny,allow 
Deny from    all
Allow from   env=GUEST