Let's consider the folder www.mydomain.com/exemple protected with the following .htaccess:
.htaccess
AuthUserFile /root/FTPname/www/.htpasswd
AuthGroupFile /dev/null
AuthName "Restricted Access"
AuthType Basic
require valid-user
I want to allow the access to the exemple folder only if a user has a specific cookie, or I raise an error (with the following [F] flag). Then I implemented the following code:
.htaccess
RewriteEngine On
RewriteCond %{HTTP_COOKIE} !CookieName=CookieValue
RewriteRule .* - [F,L]
AuthUserFile /root/FTPname/www/.htpasswd
AuthGroupFile /dev/null
AuthName "Restricted Access"
AuthType Basic
require valid-user
The problem is that when i load the exemple folder without the cookie, it goes through the authentification process first...I would like to do raise the error first. Anyone knows?
Try "Satisfy any" with a new environment variable. Two techniques are shown here:
.htaccess basic auth by virtual host? One uses SetEnvIf, the other uses a RewriteRule to set the variable. Since SetEnvIf cannot detect cookies, you will need RewriteRule. But I found on my shared hosting platform that RewriteRule could not play with "Satisfy any." If it works for you, it will look something like:
RewriteEngine On
RewriteCond %{HTTP_COOKIE} !CookieName=CookieValue
RewriteRule .* - [L,E=DENY:1]
AuthUserFile /root/FTPname/www/.htpasswd
AuthGroupFile /dev/null
AuthName "Restricted Access"
AuthType Basic
Order Deny,Allow
Satisfy any
Deny from all
Require valid-user
Allow from env=!DENY
See also: htaccess exclude one url from Basic Auth
Watch out that the page you are protecting does not include images, stylesheets, etc., that trigger an authentication request when the page itself does not.
Related
I have one page on my root folder called export.php. Now I don't want to give access to this page to all the users.
What I am trying to achieve, If any user tries to access export.php page then one alert will display and it will ask for the username and password. Once login details are correct then the page will be accessible. I tried some code on htaccess.
Now I have two issues,
1) I am getting alert on all the pages. How do I set only for the export.php page?
2) After entering the username and password I am getting a server error.
htaccess
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^\.]+)$ $1.php [NC,L]
AuthType Basic
AuthName "Access to the Hidden Files"
AuthUserFile 'http://localhost:8080/example/.htpassword'
Require valid-user
Solution.
First I found the path using
<?php echo $_SERVER['DOCUMENT_ROOT']; ?>
Output: /opt/lampp/htdocs/example/
then I added path in htaccess file
SetEnvIfNoCase Request_URI /export SECURED
AuthName "Access to the Hidden Files"
AuthType Basic
AuthUserFile "/opt/lampp/htdocs/example/.htpasswd"
AuthGroupFile /
Require valid-user
Satisfy any
Order Allow,Deny
Allow from all
Deny from env=SECURED
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^\.]+)$ $1.php [NC,L]
Rewrite all to router.php and then rewrite from php (small mvc for example https://github.com/breakermind/Tronix).
Better solution, check if the user has permissions in php file:
<?php
// User field from users table (add to session when logging)
if($_SESSION['user']['allow_export'] == 9 && isIpAddressAllowedFunc($_SERVER['REMOTE_ADDR'])){
// show content
}else{
// Redirect or log out user
header('Location: index.php');
exit;
}
?>
I have an Apache site where all URLs that points to a file without an extension reads as a .php file. I put those entries in the .htaccess file, and allowed it inside the httpd.conf file.
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule !\. - [H=application/x-httpd-php]
It works great.
Now I add authentification to the website.
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
It only works if I comment out my RewriteEngine code.
One will work without the other, but not together. I've read a bit about the REMOTE_USER variable, but failed at some attempts.
Any recommendations to solve this?
Thanks
I have a page in Wordpress theme_directory/page-rsvp.php that i need password protected by .htaccess. I'm developing this locally using MAMP PRO.
I have an .htaccess and .htpasswd file in the theme_directory. I have the following in the .htaccess file but it's not working. Whenever I go to localhost:8888/site/rsvp the authentication prompt doesn't show up.
<Files “page-rsvp.php”>
AuthName "Username and password required"
AuthUserFile ./.htpasswd
Require valid-user
AuthType Basic
</Files>
There is of course the .htaccess file in the root of the wordpress install that looks like this:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /thepowerfulnow/
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /thepowerfulnow/index.php [L]
</IfModule>
# END WordPress
How do I get this to work using only the first .htaccess file (the one in the theme_directory)? I need to have this theme be modular. I'm very new to .htaccess files. Thank you all!
You've added the authentication to your theme directory, so it'll work only if you access your theme file directly, using a URL like this:
http://localhost:8888/site/wp-content/themes/theme_directory/page-rsvp.php
If you want to restrict the access to your page URL (e.g. /site/rsvp), you need to use a different rule. You can add the following lines to the end of your main .htaccess file, that in the WordPress root dir.
# Set an env variable "auth" if the URI starts with "/site/rsvp"
SetEnvIf Request_URI ^/site/rsvp auth=1
AuthName "User and password required"
AuthType Basic
AuthUserFile "./.htpasswd"
# First, allow anyone
Order Allow,Deny
Satisfy any
Allow from all
Require valid-user
# Then, deny only if auth is required
Deny from env=auth
Remember to keep a copy of .htpasswd file into the same directory or set the path to that file using the AuthUserFile directive.
Alternative solution
My original answer used a <Location> directive to filter the URL to restrict, but it do not work in .htaccess files. Only under server config or a virtual host. Check the Context here: http://httpd.apache.org/docs/2.2/mod/core.html#location
If you want to use the restriction rule as below, and you have access in the server to do so, you need to add it to some of those contexts (server config or virtual host). Apache's config files are usually in the /etc/httpd or /etc/apache2 directories.
<Location "/site/rsvp"> # Where /site/rsvp is the URL you want to restrict
AuthName "Username and password required"
AuthUserFile /path/to/.htpasswd
Require valid-user
AuthType Basic
</Location>
I am trying to allow user to wordpress wp-admin index page if query string contains parameter. I am setting env variable to allow them access. This is how my htaccess file looks like
RewriteEngine on
RewriteCond %{QUERY_STRING} !^author=1
RewriteRule ^ - [E=NO_AUTH:1]
AuthName "Staff Authorization Required"
AuthType Basic
AuthUserFile /usr/bin/.htpasswd
<Files "index.php">
Order Deny,Allow
Deny from all
Require user newagenumber
Allow from env=NO_AUTH
</Files>
Options -Indexes
As of yet, authorization dialog box appears for everyone. Please help :|
This is not working because Apache executed mod_auth module before mod_rewrite hence NO_AUTH is not set when basic authentication directives run.
Unfortunately this behavior is not that simple to change.
Here is a workaround solution that combines mod_rewrite, mod_setenvif and mod_auth:
RewriteEngine On
RewriteBase /wp-admin/
RewriteCond %{QUERY_STRING} (?:^|&)(author=1)(?:&|$) [NC]
RewriteRule ^(index\.php)?$ index.php/%1 [NC]
# set SECURED var to 1 if URI is /index.php/200
SetEnvIfNoCase Request_URI "/index\.php/(author=1)" NO_AUTH
AuthType Basic
AuthName "Login Required"
AuthUserFile /full/path/to/passwords
Require user newagenumber
Order Deny,Allow
Deny from all
Allow from env=NO_AUTH
Satisfy any
How can I deny access to http://sub.mydomain.com/, but allow for (completely) http://sub.mydomain.com/test (or http://sub.mydomain.com/test/)
There is a magento back-end behind http://sub.mydomain.com/test/
.htaccess directives apply to that directory, and all subdirectories thereof, so you should disallow access in your DocumentRoot,
http://sub.mydomain.com/.htaccess:
Order deny,allow
Deny from all
And override that in any specific subdirectories you would like to allow access to,
http://sub.mydomain.com/test/.htaccess:
Order allow,deny
Allow from all
How about a .htaccess at the root directory, with the following lines?
RewriteEngine On
# check if request is for subdomain
RewriteCond %{HTTP_HOST} ^sub.mydomain.com$ [NC]
# check if 'test' isnt part of request
RewriteCond %{REQUEST_URI} !^/test/?(.*)$ [NC]
# if subdomain and no 'test' part, redirect to main domain...
RewriteRule ^(.*)$ http://www.mydomain.com/$1 [R,L]
So if the '/test/' section is present, no redirect takes place...
Try create .htaccess file in sub.mydomain.com for deny, and in sub.mydomain.com/test for allow.
Or you can redirect from http://sub.mydomain.com/ to deny subdir.
I know this is a very old thread, but I've been struceling with exactly this scenario for several days and finally got it to work, thus I thought I'd share my solution for further reference.
As of Apache version 2.4 (I guess), it's possible to use directive <RequireAll> and <RequireAny>.
This can be used to allow access to specific subfolders.
My solution for .htaccess (inspired from this site: https://www.the-art-of-web.com/system/apache-authorization/):
SetEnvIf REQUEST_URI "^/test/.*" PUBLICACCESS
# Use for multiple subfolders:
# SetEnvIf REQUEST_URI "^/(?:test|test2|test3|test4)/.*" PUBLICACCESS
<RequireAny>
<RequireAll>
# Public access
Require env PUBLICACCESS
Require all granted
</RequireAll>
<RequireAll>
# Require user and password
AuthType Basic
AuthName "Secured"
AuthUserFile /var/www/example.com/.htpasswd
Require valid-user
</RequireAll>
</RequireAny>
I'm using a cpanel powered server which will add .htaccess entries like the following:
#----------------------------------------------------------------cp:ppd
# Section managed by cPanel: Password Protected Directories -cp:ppd
# - Do not edit this section of the htaccess file! -cp:ppd
#----------------------------------------------------------------cp:ppd
AuthType Basic
AuthName "Protected"
AuthUserFile "/home/****/.htpasswds/sites/****/passwd"
Require valid-user
#----------------------------------------------------------------cp:ppd
# End section managed by cPanel: Password Protected Directories -cp:ppd
#----------------------------------------------------------------cp:ppd
I wanted to allow access to a specific subfolder, and the solution was creating an .htaccess file within that subfolder and placing the following inside:
Satisfy any
If you have protected your DocumentRoot by Auth, then you can allow your Subfolder by follow:
http://sub.mydomain.com/test/.htaccess:
require all granted
Order allow,deny
Allow from all