I have added htpasswd protection using htaccess file for authentication, now I want to bypass authenitcation for www.website.com and www.website.com/index.php where both urls are accessing index.php file. By using below htaccess file I have allowed index.php and I'm able to bypass www.website.com/index.php url but not www.website.com
My htaccess file is:
# set an environtment variable "noauth" if the request starts with "/callbacks/"
SetEnvIf Request_URI ^/index.php noauth=1
AuthType Basic
AuthName "RESTRICTED"
#AuthName "Restricted Area"
AuthUserFile "/path/to/.htpasswd"
require valid-user
Options -Indexes
Options +FollowSymlinks
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([^.]+)$ /file.php?show=all&name=$1 [L]
# Here is where we allow/deny
Order Deny,Allow
Satisfy any
Deny from all
Require valid-user
Allow from env=noauth
I believe the 2nd parameter just uses regular regex. Maybe you can just make index.php optional.
SetEnvIf Request_URI "^/(index\.php)?$" noauth=1
Have not tested.
Related
In my htaccess I think I must wrong path of RewriteBase.
My server has this structure:
/public_html/example
and in this example there are all my site so to go on my site I do this url:
http://home.com/example
But I get 500 internal server because I think I wrong my RewriteBase in my htacess:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /example/
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /example/index.php [L]
</IfModule>
AuthBasicProvider file
AuthUserFile /public_html/festivalmusicasullacqua/.htpasswd.txt
AuthName "Authorization Form Title"
AuthType Basic
#Allow any valid user
require valid-user
#Allow only one user with specified username
require user festival
Anyone can help me to correct the code?
You have two parts in your .htaccess file: a rewrite part, and an auth part. I think that the error is not in the rewrite part, but in the auth part (you can try commenting it to confirm this hypothesis).
If I am right and the error is in the auth part, the reason is probably that FTP chroots you. Then you only see a relative filesystem path.
Thus I doubt that the AuthUserFile line has a correct path: you must specify an absolute path.
Here is my code
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^$ app/webroot/ [L]
RewriteRule (.*) app/webroot/$1 [L]
</IfModule>
<LocationMatch "http://<server name>/bikes/brand/index/*">
AuthType Basic
AuthName "restricted area"
AuthUserFile "/home/public_html/sites/labs/bikes/.htpasswds"
require valid-user
</LocationMatch>
Actually i want to enable htaccess password only for one page and page link is something like http:///bikes/homes/index/
but I don't want htaccess password on any other page.thanks
Try with this code add it to your .htaccess and refer this link:
<Files "index.php">
Require valid-user
</Files>
rewriting works fine until we add auth to htaccess. Is auth formatted correctly? Why would rewrite work before adding auth?
Request params at the site controller with no auth:
[id] => 433 [type] => city
Params after auth added and the user authenticated:
[site/query]
Sample query url that works without auth:
http://www.website.com/site/query?type=city&id=433
The .htaccess with basic auth at the bottom:
# any visits not coming from this official URL should be rerouted; AJAX cross-domain, www.website.com is not the same as our.company.com
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\.website\.com$ [NC]
RewriteRule ^(.*)$ http://www.website.com/$1 [R=301,L]
# route all requests that are NOT static files, through index.php to make the /nice/urls/ work
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?$1 [L]
# disable file listings for directories
Options -Indexes
# disable the fetching of .phtm
<Files ~ "\.phtml$">
Order allow,deny
Deny from all
</Files>
# Protect hidden files from being viewed
<Files .*>
Order Deny,Allow
Deny From All
</Files>
# Protect application and system files from being viewed
RewriteRule ^(?:modules|system)\b.* index.php/$0 [L]
# Allow any files or directories that exist to be displayed directly
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
AuthType Basic
AuthName "Password required"
AuthUserFile /maps/scorp/main/.htpasswd
Require valid-user
I've got no answer to your nice questions but I hope I found a solution. :)
IMHO in your .htaccess the authorisation will take the advantage. It's a kinda tricky but you can break the priority by enclosing the "Require valid-user" directive into block <Files>. E.g.:
<Files "*.phtml">
Require valid-user
</Files>
I am running cpanel with apache 2.2.25 and have the following site custom configuration setup
WSGIScriptAlias /trac /usr/share/trac/cgi-bin/trac.wsgi
<Directory /usr/share/trac>
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
</Directory>
<Location "/trac/login">
AuthType Basic
AuthName "Trac"
AuthUserFile /home/[user]/public_svn/conf/htpasswd
Require valid-user
</Location>
I have tried the following .htaccess configuration, and others, but the authentication prompt is not displaying when I go to www.mydomain.com/trac/login , instead it is redirecting to index.php .
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^svn - [L,NC]
RewriteRule ^trac - [L,NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?/$1 [L]
</IfModule>
Is there a way to create .htaccess rewrite condition to skip authentication requests?
This is a solution that works, but I don't know why. I added the following to the beginning of the index.php file.
<?php
if (substr($_SERVER['REQUEST_URI'],0,4) == '/svn') {
die();
}
if (substr($_SERVER['REQUEST_URI'],0,5) == '/trac') {
die();
}
?>
If anyone knows why this works I'd love to know!
Here's my current situation:
I'm rewriting /api to api.php.
RewriteRule ^apidir/url/new?$ api.php [QSA,NC,L]
Now, I am whitelisting IP's for it. However, when I try and use the Files directive to block access, I can't because it is being rewritten.
<Files "\api.php">
order allow,deny
allow from all
deny from 24.11.95.151
</Files>
so, I tried just using it to block the rewritten directory
<Files "\apimashape2013/url/new">
order allow,deny
allow from all
deny from 24.11.95.151
</Files>
None of these have worked out.
If you have access to the virtualhost you can use this:
RewriteEngine on
RewriteMap hosts-deny txt:/home/youraccount/deny_list.txt
RewriteCond ${hosts-deny:%{REMOTE_ADDR}|NOT-FOUND} !=NOT-FOUND [OR]
RewriteCond ${hosts-deny:%{REMOTE_HOST}|NOT-FOUND} !=NOT-FOUND
RewriteCond %{REQUEST_URI} ^/api [NC]
RewriteRule ^ - [F]
And have the deny_list.txt with the list of IP's or HOST you wish to blacklist:
193.102.180.41 -
bsdti1.sdm.de -
192.76.162.40 -
Read more here.
Alternatively if you don't have access to the virtualhost, you can change the name of your php file to something unique for example thisismyapi.php and use it like this:
Options +FollowSymLinks -MultiViews
RewriteEngine On
RewriteBase /
<Files "thisismyapi.php">
order allow,deny
allow from all
deny from 24.11.95.151
</Files>
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !thisismyapi.php
RewriteRule ^api/?(.*)$ /api/thisismyapi.php [L]
Why do I change it to other name?
Because this way it will match it anywhere it is so it should work just fine for your needs and will not conflict with other files.
For example in this way it the file was named index.php it would conflict with index.php in other folders.
Not sure why the first <Files> container isn't working. The \ shouldn't have any effect. But the container needs to be in the directory or parent directory of where the api.php file is.
Alternatively, you can include this in your htaccess:
RewriteCond %{REMOTE_ADDR} ^24\.11\.95\.151$
RewriteRule ^/?api.php$ - [L,F]