I have one page on my root folder called export.php. Now I don't want to give access to this page to all the users.
What I am trying to achieve, If any user tries to access export.php page then one alert will display and it will ask for the username and password. Once login details are correct then the page will be accessible. I tried some code on htaccess.
Now I have two issues,
1) I am getting alert on all the pages. How do I set only for the export.php page?
2) After entering the username and password I am getting a server error.
htaccess
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^\.]+)$ $1.php [NC,L]
AuthType Basic
AuthName "Access to the Hidden Files"
AuthUserFile 'http://localhost:8080/example/.htpassword'
Require valid-user
Solution.
First I found the path using
<?php echo $_SERVER['DOCUMENT_ROOT']; ?>
Output: /opt/lampp/htdocs/example/
then I added path in htaccess file
SetEnvIfNoCase Request_URI /export SECURED
AuthName "Access to the Hidden Files"
AuthType Basic
AuthUserFile "/opt/lampp/htdocs/example/.htpasswd"
AuthGroupFile /
Require valid-user
Satisfy any
Order Allow,Deny
Allow from all
Deny from env=SECURED
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^\.]+)$ $1.php [NC,L]
Rewrite all to router.php and then rewrite from php (small mvc for example https://github.com/breakermind/Tronix).
Better solution, check if the user has permissions in php file:
<?php
// User field from users table (add to session when logging)
if($_SESSION['user']['allow_export'] == 9 && isIpAddressAllowedFunc($_SERVER['REMOTE_ADDR'])){
// show content
}else{
// Redirect or log out user
header('Location: index.php');
exit;
}
?>
Related
I have an Apache site where all URLs that points to a file without an extension reads as a .php file. I put those entries in the .htaccess file, and allowed it inside the httpd.conf file.
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule !\. - [H=application/x-httpd-php]
It works great.
Now I add authentification to the website.
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
It only works if I comment out my RewriteEngine code.
One will work without the other, but not together. I've read a bit about the REMOTE_USER variable, but failed at some attempts.
Any recommendations to solve this?
Thanks
I'm trying to setup my .htaccess file to enable basic authentication on our development website.
I want the authentication to work on all my site but for certain URL. We are using friendly URL on our site..
I would also like to bypass authentication for certain file types like png, css, etc...
What I have so far looks like this :
SetEnvIfNoCase Request_URI ^/upload/ NO_AUTH
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /path/to/.htpasswd
Require valid-user
Satisfy any
Order deny,allow
Deny from all
Allow from env=NO_AUTH
<FilesMatch "\.(gif|jpe?g|png|css|js|swf)$">
Satisfy Any
</FilesMatch>
The authentication is working fine, but the SetEnvIfNoCase does not seem to work because I'm still asked for authentication when going to the friendly URL '/upload/'.
The FilesMatch part does not seem to work either ..
Anyone can help me with that ?
Thanks !
There's 2 things you need to address.
Your <FilesMatch> container is doing nothing. You already have a Satisfy Any. You should add those extensions to a separate SetEnvIfNoCase
When you are using rewrite rules that rewrite /upload/, you need to include both the "friendly" URI as well as the rewritten URI, because the auth module is applied at every step (obviously, since it's really really bad to allow bypassing of authentication by rewrite/alias). That means, for example, if you have this rule:
RewriteRule ^upload/(.*)$ /upload_script.php?file=$1 [L]
Then you need to have a NO_AUTH line for both /upload/ and /upload_script.php:
SetEnvIfNoCase Request_URI ^/upload/ NO_AUTH
SetEnvIfNoCase Request_URI ^/upload_script.php NO_AUTH
Then to address #1:
SetEnvIfNoCase Request_URI \.(gif|jpe?g|png|css|js|swf)$ NO_AUTH
So an example of the suggestion:
something that you can try is to add a rule (similar to the above RewriteRule example), to route the /upload/ to an intermediate script other than index.php, then from the intermediate script, call index.php.
So using the above example of /upload_script.php you'd add this before any of your rules:
RewriteRule ^upload/ /upload_script.php [L]
So that it looks something like:
RewriteEngine On
RewriteRule ^upload/ /upload_script.php [L]
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^.*$ index.php [NC,L]
Then, you create a script called upload_script.php which will have something like:
<?php
include_once "index.php";
?>
You may want to dump the $_SERVER[''] array first to see if everything's set to what Zend's index.php is expecting to see.
I am trying to allow user to wordpress wp-admin index page if query string contains parameter. I am setting env variable to allow them access. This is how my htaccess file looks like
RewriteEngine on
RewriteCond %{QUERY_STRING} !^author=1
RewriteRule ^ - [E=NO_AUTH:1]
AuthName "Staff Authorization Required"
AuthType Basic
AuthUserFile /usr/bin/.htpasswd
<Files "index.php">
Order Deny,Allow
Deny from all
Require user newagenumber
Allow from env=NO_AUTH
</Files>
Options -Indexes
As of yet, authorization dialog box appears for everyone. Please help :|
This is not working because Apache executed mod_auth module before mod_rewrite hence NO_AUTH is not set when basic authentication directives run.
Unfortunately this behavior is not that simple to change.
Here is a workaround solution that combines mod_rewrite, mod_setenvif and mod_auth:
RewriteEngine On
RewriteBase /wp-admin/
RewriteCond %{QUERY_STRING} (?:^|&)(author=1)(?:&|$) [NC]
RewriteRule ^(index\.php)?$ index.php/%1 [NC]
# set SECURED var to 1 if URI is /index.php/200
SetEnvIfNoCase Request_URI "/index\.php/(author=1)" NO_AUTH
AuthType Basic
AuthName "Login Required"
AuthUserFile /full/path/to/passwords
Require user newagenumber
Order Deny,Allow
Deny from all
Allow from env=NO_AUTH
Satisfy any
I have a KISSMVC php based site with the following .htaccess to allow only authenticated users to see the site
RewriteEngine On
RewriteBase /myphpsite/
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php?/$1 [L]
# Protect app files
RewriteRule ^((app|system|scripts).*)$ index.php/$1 [L]
AuthName "Please enter your username and password"
AuthType Basic
<Limit GET>
require user THEUSERNAME
</Limit>
This works with no problem.
The problem is that I want to allow clients to retrieve a value from the site with no authentication. This value is obtained through the index.php function because it is calculated per client, plus there is no folder structure where these values are stored.
as an example this URL should not prompt:
http://fancywebsite.com/myphpsite/index.php/inventory/hash/variable
but this one should still be prompting:
http://fancywebsite.com/myphpsite
If I could somehow specify in the .htaccess file to bypass or satisfy the authentication when the requested URL contains "index.php/inventory/hash" that would be perfect.
Let's consider the folder www.mydomain.com/exemple protected with the following .htaccess:
.htaccess
AuthUserFile /root/FTPname/www/.htpasswd
AuthGroupFile /dev/null
AuthName "Restricted Access"
AuthType Basic
require valid-user
I want to allow the access to the exemple folder only if a user has a specific cookie, or I raise an error (with the following [F] flag). Then I implemented the following code:
.htaccess
RewriteEngine On
RewriteCond %{HTTP_COOKIE} !CookieName=CookieValue
RewriteRule .* - [F,L]
AuthUserFile /root/FTPname/www/.htpasswd
AuthGroupFile /dev/null
AuthName "Restricted Access"
AuthType Basic
require valid-user
The problem is that when i load the exemple folder without the cookie, it goes through the authentification process first...I would like to do raise the error first. Anyone knows?
Try "Satisfy any" with a new environment variable. Two techniques are shown here:
.htaccess basic auth by virtual host? One uses SetEnvIf, the other uses a RewriteRule to set the variable. Since SetEnvIf cannot detect cookies, you will need RewriteRule. But I found on my shared hosting platform that RewriteRule could not play with "Satisfy any." If it works for you, it will look something like:
RewriteEngine On
RewriteCond %{HTTP_COOKIE} !CookieName=CookieValue
RewriteRule .* - [L,E=DENY:1]
AuthUserFile /root/FTPname/www/.htpasswd
AuthGroupFile /dev/null
AuthName "Restricted Access"
AuthType Basic
Order Deny,Allow
Satisfy any
Deny from all
Require valid-user
Allow from env=!DENY
See also: htaccess exclude one url from Basic Auth
Watch out that the page you are protecting does not include images, stylesheets, etc., that trigger an authentication request when the page itself does not.