I have a PHP/Apache application deployed to Heroku. I want to enable basic auth on this when running on Heroku. This worked well...
AuthUserFile /app/prototypes/.htpasswd
AuthType Basic
AuthName "Restricted Access"
Require valid-user
However, I want to only enable this if PASSWORD_PROTECTED is set. I set a heroku config var like so:
heroku config:set PASSWORD_PROTECTED=true
and then updated .htaccess to look like:
<IfDefine %{ENV:PASSWORD_PROTECTED}>
AuthUserFile /app/prototypes/.htpasswd
AuthType Basic
AuthName "Restricted Access"
Require valid-user
</IfDefine>
But the Require valid-user never gets run, so I don't seem to be able to access ENV vars from .htacess in Heroku or I am doing this wrong. Any thoughts on how to do this properly?
You're on the right track, but your syntax is a little off.
Rather than <IfDefine>, which lets you test for variables set with Define or via the -D parameter on startup, you should use the <If> directive. This was new in Apache 2.4, so examples are a little thin on the ground, but we can use those examples along with this rather technical expression reference to come up with this:
<If "-T reqenv('PASSWORD_PROTECTED')">
AuthUserFile /app/prototypes/.htpasswd
AuthType Basic
AuthName "Restricted Access"
Require valid-user
</If>
reqenv is a function that looks up an environment variable; -T is an operator that returns true unless its argument is empty, 0, "false", "off", or "no".
Related
I am trying to implement an auto login function into my mediawiki by using their windows credentials. I am using Apache Server (V2.2).
I have implemented the Auth remoteuser extension and has implemented the mod_auth_sspi.so in my httpd.conf file and has configure it to be as follows
<IfModule !mod_auth_sspi.c>
LoadModule sspi_auth_module modules/mod_auth_sspi.so
</IfModule>
<Location "file/to/path">
Options FollowSymLinks
Order allow,deny
Allow from all
AuthName "TestWeb"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIOmitDomain On
SSPIOfferBasic on
Require valid-user
</Location>
However, it gives me the prompt to type in the username and password on IE/Firefox/Chrome which I don't want the prompt to appear. I want it to auto login to mediawiki straight without the prompt. Which step am I doing wrong?
How may I achieve the above? Thanks for all assistance!
Remove 'SSPIOfferBasic on' and make sure your IE options are set as described here:
Single Sign On with apache on windows 7 and mod_auth_sspi
SSPIOfferBasic means "clients, you can authenticate, using basic auth", so most browsers will chose that instead of SSO/NTLM
I've got a problem with my .htaccess :
AuthType Basic
AuthName "Acces protege"
AuthUserFile "/home/sites/.htpasswd"
require valid-user
IMO, the file .htaccess is not read as I tried to write with syntax error.
And nothing happened while I access to the page.
I've changed the conf file of Apache : apache2.conf.
Instead of
AllowOverride None
I've put
Allow Override All
Then
service apache2 restart
Yet no authentification activated.
AuthType Basic
AuthName "Acces protege"
AuthUserFile "/home/sites/.htpasswd"
Require valid-user
Change the require keyword to Require
A misconfiguration on the server caused a hiccup. Check the server logs, fix the problem, then try again.
This error is displayed only after I add this authentication part to my .htaccess...If I remove this part it shows the admin area without authentication....Please can anyone point out whether there is any syntax error...
<FilesMatch "admin">
AuthUserFile "/home6/zeewatch/public_html/ecole-de-paris-fr//httpd.www/mu/.htpasswd
AuthGroupFile /dev/null
AuthName "admin"
AuthType Basic
Require valid-user
</FilesMatch>
Try this
<FilesMatch "admin">
AuthName "Admin Panel"
AuthType Basic
AuthUserFile /path/.htpasswd
Require valid-user
</FilesMatch>
and what this?
ecole-de-paris-fr//httpd.www/mu/.htpasswd
you have "//" on the path, make it one forward slash
So rather than excluding one file from the entire authentication like I tried to here. I've just decided to add specific files to the authentication like this:
<Files ...>
</Files>
The thing is when it's like this:
<Files Available.php>
AuthType Basic
AuthName "Login"
AuthUserFile /disks/*/*/Folder/.htpasswd
Require valid-user
</Files>
It works in that it requires an authentication for the php. However when I put multiple files like this:
<Files Available.php,Insert.php,upload_file.php>
AuthType Basic
AuthName "Login"
AuthUserFile /disks/*/*/Folder/.htpasswd
Require valid-user
</Files>
It fails to require authentication for any of the files. Any ideas what I'm writing wrong syntactically? Also how do I require authentication for all sub-directories?
You can't put multiple file names in a directive. see for directive examples.
http://www.askapache.com/htaccess/using-filesmatch-and-files-in-htaccess.html
If you can't match the files with a wildcard, your best bet is to place them all in a subdirectory and use your authenication against that.
Your other option is to use php authenication with sessions (cookie or url based) and have the php files that require authentication check for a valid session before running.
I've written a fair number php based sites with authenicated admin and I always use a subdirectory and then ssl to make it more secure.
I have a rule in my app (in /.htaccess) that sets a htpassword for access to the site. We need this on the remote server, because we don't want anyone except us seeing it.
However, on the local server, I don't want to deal with the htpassword mess. Is there any way that I can make the rule valid only if the domain isn't "localhost", or something of a similar variety?
I'm using PHP as a backend language, so if there's a way I can solve it with PHP, that would be great.
Thanks for any help in advance.
Edit - The offending code:
authtype basic
authgroupfile /dev/null
authuserfile /path/to/htpassword
authname "Secure Area"
require user username
http://httpd.apache.org/docs/current/howto/auth.html#satisfy
AuthType Basic
AuthName intranet
AuthUserFile /www/passwd/users
AuthGroupFile /www/passwd/groups
Require group customers
Order allow,deny
Allow from internal.com
Satisfy any
RewriteCond %{HTTP_HOST} your_remote_hostname
Add that condition in (obviously replacing the relevant part with your hostname) before the RewriteRule line.
You can use the require directive:
Require all granted
Access is allowed unconditionally. Require all denied
Access is denied unconditionally. Require env env-var [env-var] ...
Access is allowed only if one of the given environment variables is set. Require method http-method [http-method] ...
Access is allowed only for the given HTTP methods. Require expr expression
Access is allowed if expression evaluates to true.
Some of the allowed syntaxes provided by mod_authz_user,
mod_authz_host, and mod_authz_groupfile are:
Require user userid [userid] ...
Only the named users can access the resource.
Require group group-name [group-name] ...
Only users in the named groups can access the resource.
Require valid-user
All valid users can access the resource.
Require ip 10 172.20 192.168.2
Clients in the specified IP address ranges can access the resource.
authtype basic
authgroupfile /dev/null
authuserfile /path/to/htpassword
authname "Secure Area"
require user username
require ip 10.10.10.10