I need to protect different par of my website depending on the environment I'm working on.
I have three different environments:
localhost : protect nothing
www.test.example.com : protect the whole website (it's a test website so I don't want it to be accessible)
www.example.com : protect only /admin url (the live website, only /admin is protected)
For now, I use different htaccess files.
For test.example.com, I add:
AuthUserFile mypasswordfile
AuthType Basic
AuthName "Enter password"
require valid-user
For example.com, I add:
SetEnvIf Request_URI /admin/? auth=1
AuthUserFile mypasswordfile
AuthType Basic
AuthName "Enter a password"
Order Deny,Allow
Deny from all
Allow from env=!auth
Require valid-user
Satisfy any
Is there a way to use only one htacess with condition to have something like
if(localhost) { do nothing }
if(test.example.com) { require valid user on all domain }
if(example.com) { require valid user only on /admin}
You can use this combined .htaccess:
# require valid user only on /admin
SetEnvIf Request_URI ^/admin(/|$) auth=1
# if(test.example.com) { require valid user on all domain }
SetEnvIf Host ^test\.example\.com$ auth=1
# if(localhost) { do nothing }
SetEnvIf Host ^localhost$ !auth
AuthUserFile mypasswordfile
AuthType Basic
AuthName "Enter a password"
Order Deny,Allow
Deny from all
Allow from env=!auth
Require valid-user
Satisfy any
You could use version control, for example Mercurial (hg) and add those files to ignore list. This way the .htaccess files will not be overwritten when pushing changes.
If you're running Apache 2.4+ it has an <If .. > Directive you can use : http://httpd.apache.org/docs/2.4/mod/core.html#if
So you could read the Apache SERVER_NAME and apply conditions accordingly inside your .htaccess file.
<If "%{SERVER_NAME} =~ /^test\.example\.com/">
** require valid user on entire domain **
</If>
<ElseIf "%{SERVER_NAME} =~ /^example\.com/">
** require valid user only on /admin **
</ElseIf>
You could leave it as that or add in a specific <ElseIf> for 'localhost' with a final <Else> containing 'Deny from all' or similar - just to make sure you don't leave it open if you upload onto another development environment.
Note: you could also use SERVER_ADDR instead of SERVER_NAME and identify the server by IP address - which might be more reliable.
Related
My question is very similar to this one:
getting "authentication required" when requesting / instead of /index.php
However, in the question above, the goal is to allow access to only the root URL or index.php and to password protect access to all other files and subdirectories.
An excellent answer was given:
SetEnvIf Request_URI "^/$" allow=yes
SetEnvIf Request_URI "^/index.php$" allow=yes
AuthType Basic
AuthName "Password Required"
AuthUserFile /var/www/webinterface/.htpasswd
Options +FollowSymLinks
Order Deny,Allow
Satisfy any
Deny from All
Require valid-user
Allow from env=allow
My question is the reverse: I only want to password protect the root URL of the directory or the index.php file, and to allow free access to all other files in the directory. When I used <FilesMatch "index.php"> I succeeded in protecting the index file, but the root url allowed access.
I'm sure the answer is basically obvious to those of you who are more familiar with htaccess than I am. How do I password protect only index.php and the root url? Thank you.
Use it like this:
SetEnvIfNoCase Request_URI "^/(index\.php)?$" PROTECT
AuthType Basic
AuthName "Password Required"
AuthUserFile /var/www/webinterface/.htpasswd
Require valid-user
Satisfy any
Order Allow,Deny
Allow from All
Deny from env=PROTECT
Regex pattern ^/(index\.php)?$ will match / or /index.php and it sets env variable PROTECT
Allow from All allows all the URIs
Deny from env=PROTECT denies env variable PROTECT
Not sure if this is what you really want, but what about the options -Indexes, used like this?
<Directory /www/somefolder>
Options -Indexes FollowSymLinks
AllowOverride None
</Directory>
I would like to block a path from my site using the .htaccess configuration. The idea is that only a specific set of IP's can access that specific path from the URL after they authenticated using basic auth.
Note: It's a path, not a page or directory. We are trying to shield off a web-service so there will be only post calls to the URL's.
I would like the url example.com/rest to be blocked and everything behind that url based on IP. So example.com/rest/foo and example.com/rest/foo/bar should be blocked.
All other paths from the application should remain functional and without basic auth.
The IP blocking part has been resolved in a previous question I asked.
The basic configuration (the blocking part, there is more in the .htaccess but is not relevant to this question.) you can find below.
SetEnvIf Request_URI "/rest(/.*)?$" rest_uri
# Check on what subdomain we are.
SetEnvIf Host ^local\. None_Prod_Env
# Static
SetEnvIf AH_CLIENT_IP ^123\.123\.123\.123$ Allow_Host
# Range
SetEnvIf AH_CLIENT_IP ^123\.123\.123\. Allow_Host
Order deny,allow
Deny from all
Allow from env=!rest_uri
Allow from env=Allow_Host
Allow from env=None_Prod_Env
So the configuration above blocks all access to /rest/* but not to non rest paths, it allows a user coming from IP X (Allow_Host variable) and we allow none production environments in this case local.
I tried to extend this functionality with basic auth like so:
SetEnvIf Request_URI "/rest(/.*)?$" rest_uri
SetEnvIfNoCase Request_URI "/rest(/.*)?$" require_auth=true
# ... Allow Host stuff and none prod stuff ...
Order deny,allow
Deny from all
Allow from env=!rest_uri
Allow from env=Allow_Host
Allow from env=None_Prod_Env
AuthName "Password Protected"
AuthType Basic
AuthBasicProvider file
AuthUserFile /var/www/html/.htpasswd
Require valid-user
However this resulted in a basic auth on all pages and not only for the /rest/* url. I played a lot with it but couldn't figure it out. Changing SetEnvIfNoCase to SetEnvIf also didn't help.
Note: Our server is running apache 2.2.22.
You can solve this complex problem using a combination of few Apache directives i.e. mod_dir, mod_setenv and mod_auth_basic:
SetEnvIf Request_URI ^/rest(/.*)?$ rest_uri
# Check on what subdomain we are.
SetEnvIf Host ^local None_Prod_Env
# Static
SetEnvIf AH_CLIENT_IP ^123\.123\.123\.123$ Allow_Host
# Range
SetEnvIf AH_CLIENT_IP ^192\.168\. Allow_Host
RewriteEngine On
# block if request is /rest/* and IP is not whitelisted and not localhost
RewriteCond %{ENV:rest_uri} =1
RewriteCond %{ENV:None_Prod_Env} !=1
RewriteCond %{ENV:Allow_Host} !=1
RewriteRule ^ - [F]
# ask auth for /rest/* && NOT localhost && whitelist IP
AuthType Basic
AuthName "Password Protected"
AuthUserFile /var/www/html/.htpasswd
Require valid-user
Order deny,allow
Deny from all
Allow from env=!rest_uri
Allow from env=!Allow_Host
Allow from env=None_Prod_Env
Satisfy any
Try and add satisfy any to your code. Give it a try this way.
SetEnvIf Request_URI "/rest(/.*)?$" rest_uri
SetEnvIf Referer "^http://local\.example\.com/" None_Prod_Env
AuthName "Password Protected"
AuthType Basic
AuthBasicProvider file
AuthUserFile /var/www/html/.htpasswd
Require valid-user
Order deny,allow
Deny from all
Allow from env=!rest_uri
Allow from env=Allow_Host
Allow from env=None_Prod_Env
Satisfy any
I have a website made with WordPress and I want to make two different htaccess logins for two template files. Is this possible?
I have this next code for one of the templates but I want to do the same thing for the second template, only with different username and password.
The templates are located in the same directory and the .htaccess, .htpasswd files are in the root of the website.
I tried user username instead of valid-user, made a different directory in public_html for another .htpasswd file with the password and username for the second file. Nothing worked as it should.
The code:
SetEnvIf Request_URI /colaborators/$ require_auth=true
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /home/my_whole_path/public_html/.htpasswd
Require valid-user
Order Deny,Allow
Deny from all
Satisfy any
Require valid-user
# or 2. the "require_auth" var is NOT set
Allow from env=!require_auth
I will answer my own question, maybe this will help someone:
In my case, I had the .htaccess and .htpasswd files outside WordPress, in the root directory. What I had to do to make my second page .htaccess protected with different user and password than the first one:
I made a new directory in the root folder, inside it I created another .htaccess file and a new .htpasswd, plus my page (called it index.php).
SetEnvIf Request_URI /test/$ require_auth=true
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /home/my_whole_path/public_html/new_directory/.htpasswd
Require valid-user
Order Deny,Allow
Deny from all
Satisfy any
Require valid-user
# or 2. the "require_auth" var is NOT set
Allow from env=!require_auth
In index.php I loaded WordPress with a require_once 'wp-load.php', the header.php and the rest of the page code.
And that's all.
Hope will help.
I use .htaccess to ask for credentials to access members only data. The .htaccess file is stored in one of the directories and protects everything in directories below it. The .htaccess file itself is very simple:
AuthName "Members Area"
AuthType Basic
AuthUserFile /home/xxxxx/public_html/xxx/data/.htpasswd
require valid-user
Problem is, when we moved to a new server (and built the new website within that directory using WordPress), the Authentication Box now comes up twice and requires users to enter the same correct login information both times.
I've read in other strings here about trailing /, but since I don't have a redirect or anything else in my .htaccess, I'm not quite sure what to do.
Anybody have any suggestions on a workaround or rewrite?
This is most likely because you're running an https redirect (or another redirect) inside another .htaccess file. So it is asking for the authentication once in http, and once in https. If you do this:
<If "%{HTTPS} == 'on'">
AuthType Basic
AuthName "Password Area"
AuthUserFile "/yourdirectory/.htpasswd"
<IfVersion >= 2.4>
AuthMerging And
</IfVersion>
Require valid-user
</If>
then it will only ask for the password once the redirect has happened. Otherwise, get rid of the second redirect.
We have a PHP site:
site.com
We want all subpaths from the root to require basic authentication. e.g.
site.com - no authentication required
site.com/subpath requires authentication
We have this directive:
<LocationMatch "^/.+$">
AuthName "members Only"
AuthType Basic
AuthBasicProvider file
AuthUserFile /Applications/MAMP/conf/apache/extra/auth-pass-file
Require valid-user
</LocationMatch>
However it is asking for a password when we go to http://site.com/ or http://site.com.
Can someone suggest a solution so that authorization only is asked for sub paths?
<LocationMatch "^/.*/.+$"> should work. Your LocationMatch is actually selecting everything in the root directory, you need to go one level down.
We added specific directories to check (ones that exist) and created an error redirect when people tried to fish for non-existent pages.
Because authz rules are applied not only to the actually-requested /, but also to what that expands to -- such as /index.html
You need to allow that separately, unfortunately...