We Keep Coding

Protect route with htaccess

This is my current htaccess
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^.*$ /ouruniversity/public/index.php [NC,L,QSA]
Which redirects me all links to my entrypint in php. Now I would like to protect all / admin / routes with htaccess password. I tried to do this
# Do the regex check against the URI here, if match, set the "require_auth" var
SetEnvIf Request_URI ^/admin/ require_auth=true
# Auth stuff
AuthUserFile /ouruniversity/.htpasswd
AuthName "Password Protected"
AuthType Basic
# Setup a deny/allow
Order Deny,Allow
# Deny from everyone
Deny from all
# except if either of these are satisfied
Satisfy any
# 1. a valid authenticated user
Require valid-user
# or 2. the "require_auth" var is NOT set
Allow from env=!require_auth
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^.*$ /ouruniversity/public/index.php [NC,L,QSA]
and the login form is correctly shown to me, only by clicking cancel or logging in with the wrong username and password, the contents are displayed anyway. How can I fix it?

.htaccess only allow access to index.php and a directory

I am using
RewriteEngine On
RewriteRule ^.*$ ./index.php
to redirect all my website traffic through index.php and let my php code get the request_uri and route each request accordingly.
I want to restrict access to all other files/directories except one that will contain the js files, css files, images etc.
I found that to do that I can use:
Order deny,allow
Deny from all
<Files index.php>
Order Allow,Deny
Allow from all
</Files>
and then have another .htaccess file inside the public directory to allow certain file types.
When I navigate to localhost/mysite/index.php it works fine since the index.php file is accessible.
But for any other url I get a 403, for example /mysite/home/ is forbidden even though I expected it to work normally.
What can I do get the expected behavior?
My full .htacces file is:
RewriteEngine On
RewriteCond %{SCRIPT_FILENAME} !-d
RewriteCond %{SCRIPT_FILENAME} !-f
RewriteRule ^.*$ ./index.php
Order deny,allow
Deny from all
<Files index.php>
Order Allow,Deny
Allow from all
</Files>
EDIT: The /public/.htaccess currently looks like this:
<Files ~ "\.(xml|css|jpe?g|png|gif|js|pdf)$">
Allow from all
</Files>

Try this code in /mysite/.htaccess:
DirectoryIndex index.php
RewriteEngine On
RewriteCond %{SCRIPT_FILENAME} !-d
RewriteCond %{SCRIPT_FILENAME} !-f
RewriteRule ^ index.php [L]
RewriteRule !^(public/|index\.php) [NC,F]

You can use:
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ index.php
That is the .htaccess I use for my applications. In the public directory, I only place index.php and JS, CSS and images file that I need, so there is no need to filter them out. Any other file (such as uploads), are save to a folder outside of the public folder - so they are no accessible directly - only via a php script that reads them. I believe that is "best practice".

Bypass htpasswd authentication for url with index.php and without it

I have added htpasswd protection using htaccess file for authentication, now I want to bypass authenitcation for www.website.com and www.website.com/index.php where both urls are accessing index.php file. By using below htaccess file I have allowed index.php and I'm able to bypass www.website.com/index.php url but not www.website.com
My htaccess file is:
# set an environtment variable "noauth" if the request starts with "/callbacks/"
SetEnvIf Request_URI ^/index.php noauth=1
AuthType Basic
AuthName "RESTRICTED"
#AuthName "Restricted Area"
AuthUserFile "/path/to/.htpasswd"
require valid-user
Options -Indexes
Options +FollowSymlinks
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([^.]+)$ /file.php?show=all&name=$1 [L]
# Here is where we allow/deny
Order Deny,Allow
Satisfy any
Deny from all
Require valid-user
Allow from env=noauth

I believe the 2nd parameter just uses regular regex. Maybe you can just make index.php optional.
SetEnvIf Request_URI "^/(index\.php)?$" noauth=1
Have not tested.

How to Create .htaccess rewrite rule ignoring authentication requests

I am running cpanel with apache 2.2.25 and have the following site custom configuration setup
WSGIScriptAlias /trac /usr/share/trac/cgi-bin/trac.wsgi
<Directory /usr/share/trac>
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
</Directory>
<Location "/trac/login">
AuthType Basic
AuthName "Trac"
AuthUserFile /home/[user]/public_svn/conf/htpasswd
Require valid-user
</Location>
I have tried the following .htaccess configuration, and others, but the authentication prompt is not displaying when I go to www.mydomain.com/trac/login , instead it is redirecting to index.php .
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^svn - [L,NC]
RewriteRule ^trac - [L,NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?/$1 [L]
</IfModule>
Is there a way to create .htaccess rewrite condition to skip authentication requests?

This is a solution that works, but I don't know why. I added the following to the beginning of the index.php file.
<?php
if (substr($_SERVER['REQUEST_URI'],0,4) == '/svn') {
die();
}
if (substr($_SERVER['REQUEST_URI'],0,5) == '/trac') {
die();
}
?>
If anyone knows why this works I'd love to know!

Whitelist IPs for a certain file .htaccess with rewrite

Here's my current situation:
I'm rewriting /api to api.php.
RewriteRule ^apidir/url/new?$ api.php [QSA,NC,L]
Now, I am whitelisting IP's for it. However, when I try and use the Files directive to block access, I can't because it is being rewritten.
<Files "\api.php">
order allow,deny
allow from all
deny from 24.11.95.151
</Files>
so, I tried just using it to block the rewritten directory
<Files "\apimashape2013/url/new">
order allow,deny
allow from all
deny from 24.11.95.151
</Files>
None of these have worked out.

If you have access to the virtualhost you can use this:
RewriteEngine on
RewriteMap hosts-deny txt:/home/youraccount/deny_list.txt
RewriteCond ${hosts-deny:%{REMOTE_ADDR}|NOT-FOUND} !=NOT-FOUND [OR]
RewriteCond ${hosts-deny:%{REMOTE_HOST}|NOT-FOUND} !=NOT-FOUND
RewriteCond %{REQUEST_URI} ^/api [NC]
RewriteRule ^ - [F]
And have the deny_list.txt with the list of IP's or HOST you wish to blacklist:
193.102.180.41 -
bsdti1.sdm.de -
192.76.162.40 -
Read more here.
Alternatively if you don't have access to the virtualhost, you can change the name of your php file to something unique for example thisismyapi.php and use it like this:
Options +FollowSymLinks -MultiViews
RewriteEngine On
RewriteBase /
<Files "thisismyapi.php">
order allow,deny
allow from all
deny from 24.11.95.151
</Files>
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !thisismyapi.php
RewriteRule ^api/?(.*)$ /api/thisismyapi.php [L]
Why do I change it to other name?
Because this way it will match it anywhere it is so it should work just fine for your needs and will not conflict with other files.
For example in this way it the file was named index.php it would conflict with index.php in other folders.

Not sure why the first <Files> container isn't working. The \ shouldn't have any effect. But the container needs to be in the directory or parent directory of where the api.php file is.
Alternatively, you can include this in your htaccess:
RewriteCond %{REMOTE_ADDR} ^24\.11\.95\.151$
RewriteRule ^/?api.php$ - [L,F]