Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

How to modify .htaccess to hide whole website behind password?

sammawatt
Topic Author
Offline
New Member

More

1 year 7 months ago - 1 year 7 months ago #232235 by sammawatt

How to modify .htaccess to hide whole website behind password? was created by sammawatt

Hi,

I installed limesurvey self-hosted on own server. Works so far.

But I want to hide the whole site behind a password using .htaccess: I don't need any users, everyone who has the password can access the system anonymously.
So if you go to the site, you only see a password prompt. Simple as that, nothing else.

I am able to protect sites with a .htaccess like this:

Code:

AuthType Basic
AuthName "passwordprotected"
AuthUserFile /path/to/file/.htpasswd
Require valid-user

But limesurvey already has a quite large .htaccess file installed:

Code:

<IfModule mod_rewrite.c>
    RewriteEngine on
 
    # if a directory or a file exists, use it directly
    RewriteCond %{REQUEST_FILENAME} !-f
    # RewriteCond %{REQUEST_FILENAME} !-d

    # otherwise forward it to index.php
    RewriteRule . index.php
 
    # deny access to hidden files and directories except .well-known
    RewriteCond %{REQUEST_URI} !^/\.well-known
    RewriteRule ^(.*/)?\.+ - [F]
 
    # deny access to composer.json that is used for remote fingerprinting
    RewriteRule ^composer.json - [F]
</IfModule>
 
# deny access to hidden files and directories without mod_rewrite
RedirectMatch 403 ^/(?!\.well-known/)(.*/)?\.+
 
# General setting to properly handle LimeSurvey paths
# AcceptPathInfo on

# XSS protection
<IfModule mod_headers.c>
    Header set X-XSS-Protection "1; mode=block"
    <FilesMatch "\.(svgz?)$">
        Header set Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'"
    </FilesMatch>
</IfModule>
 
# Disable Multiviews (issue #16859)
<IfModule mod_negotiation.c>
    Options -MultiViews
</IfModule>

Can I combine the code and if so, where should I put it?

Greetings
Alex

Last edit: 1 year 7 months ago by sammawatt.

Please Log in to join the conversation.

jelo
Offline
Platinum Member

More

1 year 7 months ago #232242 by jelo

Replied by jelo on topic How to modify .htaccess to hide whole website behind password?

You can add your stuff to that htaccess file. Not sure if you really want to protect the whole LimeSurvey installation. All surveys will also be protected by that password.

And not sure what "I don't need any users, everyone who has the password can access the system anonymously." implies. You still will need user accounts to allow access to the backend.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users

Please Log in to join the conversation.

sammawatt
Topic Author
Offline
New Member

More

1 year 7 months ago #232289 by sammawatt

Replied by sammawatt on topic How to modify .htaccess to hide whole website behind password?

Thanks, I will try that tomorrow. Adding to end of file or at the beginning makes no difference I guess?

Indeed I want to "hide" the whole installation, only some people should use it.
And of course I have a user for the backend - I just don't need user login on frontend.
All surveys will be anonymously and I don't think anyone will do the survey more than once to cheat.

Please Log in to join the conversation.

holch
Offline
LimeSurvey Community Team

More

1 year 7 months ago #232296 by holch

Replied by holch on topic How to modify .htaccess to hide whole website behind password?

I just don't need user login on frontend.

There is no user login on frontend in Limesurvey. I think that is why Jelo (and I) are a little confused.

You might be fully aware of this, but if you secure the whole Limesurvey installation with a password via .htaccess everyone who should fill in a survey would need to have this password. If this is clear to you, go for it.

I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.

Please Log in to join the conversation.

sammawatt
Topic Author
Offline
New Member

More

1 year 7 months ago #232305 by sammawatt

Replied by sammawatt on topic How to modify .htaccess to hide whole website behind password?

Yes that is exactly what I want - sorry I didn't explain it sufficiently:

Anyone without password can't see anything but a password prompt and doesn't even know limesurvey is there.

All participants of surveys have the password (for very small group, but regular surveys).

Admin needs password as well, and after that can login with own password on backend.

Please Log in to join the conversation.

holch
Offline
LimeSurvey Community Team

More

1 year 7 months ago #232323 by holch

Replied by holch on topic How to modify .htaccess to hide whole website behind password?

Yes that is exactly what I want

Then you are fine. We just commented on this, because the request is somewhat "different" and we often see in the forum that it is good to ask those things and clarify. But if you are aware that anyone needs to have the password, you are good to go with .htaccess. Good luck.

I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.

Please Log in to join the conversation.

holch
Offline
LimeSurvey Community Team

More

1 year 5 months ago #234046 by holch

Replied by holch on topic How to modify .htaccess to hide whole website behind password?

Congratulations, magajaj330!

You have just won a forum ban for spamming!

I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.

Please Log in to join the conversation.

Lime-years ahead

Online-surveys for every purse and purpose

Pricing & Plans

Get started

Welcome to the LimeSurvey Community Forum

How to modify .htaccess to hide whole website behind password?

Lime-years ahead

Legal

About Us

Open Source