I have a rule in my app (in /.htaccess) that sets a htpassword for access to the site. We need this on the remote server, because we don't want anyone except us seeing it.
However, on the local server, I don't want to deal with the htpassword mess. Is there any way that I can make the rule valid only if the domain isn't "localhost", or something of a similar variety?
I'm using PHP as a backend language, so if there's a way I can solve it with PHP, that would be great.
Thanks for any help in advance.
Edit - The offending code:
authtype basic
authgroupfile /dev/null
authuserfile /path/to/htpassword
authname "Secure Area"
require user username
http://httpd.apache.org/docs/current/howto/auth.html#satisfy
AuthType Basic
AuthName intranet
AuthUserFile /www/passwd/users
AuthGroupFile /www/passwd/groups
Require group customers
Order allow,deny
Allow from internal.com
Satisfy any
RewriteCond %{HTTP_HOST} your_remote_hostname
Add that condition in (obviously replacing the relevant part with your hostname) before the RewriteRule line.
You can use the require directive:
Require all granted
Access is allowed unconditionally. Require all denied
Access is denied unconditionally. Require env env-var [env-var] ...
Access is allowed only if one of the given environment variables is set. Require method http-method [http-method] ...
Access is allowed only for the given HTTP methods. Require expr expression
Access is allowed if expression evaluates to true.
Some of the allowed syntaxes provided by mod_authz_user,
mod_authz_host, and mod_authz_groupfile are:
Require user userid [userid] ...
Only the named users can access the resource.
Require group group-name [group-name] ...
Only users in the named groups can access the resource.
Require valid-user
All valid users can access the resource.
Require ip 10 172.20 192.168.2
Clients in the specified IP address ranges can access the resource.
authtype basic
authgroupfile /dev/null
authuserfile /path/to/htpassword
authname "Secure Area"
require user username
require ip 10.10.10.10
Related
I have a project which has a folder and contains json files.
-> WAMP/www/MyProject -> JSON_Folder -> one.json, two.json, three.json, four.json, five.json etc.
Now I have a task : Have multiple users – Super User/Main User/Second User/Student.
- Depends on the users permission one could see the json files.
- Super User can see all the json files
- Main User could see Main User files and Second user files and student user files.
- Second user could only see Second user files and Student files.
- Student user could only see Student User files.
I could also create Super_User_Folder, Main_User_Folder,Second_User_Folder, Student_User_Folder under JSON_folder. I am going to create user login in page. When the user login - depends on the user they could see the json files. Don't know.
How could I achieve this? I could create users in MYSQL also for user permissions. But how I could allow not to access MyProject’s JSON folder? Good suggestions would be great.
You can achieve this using htaccess:
<FilesMatch "\.json$">
AuthName "Dialog prompt"
AuthType Basic
AuthUserFile /etc/apache/.htpasswd
Require valid-user
require user SuperUser
</FilesMatch>
<FilesMatch "^one\.json$">
AuthName "Dialog prompt"
AuthType Basic
AuthUserFile /etc/apache/.htpasswd
Require valid-user
require user StudentUser1
</FilesMatch>
<FilesMatch "^two\.json$">
AuthName "Dialog prompt"
AuthType Basic
AuthUserFile /etc/apache/.htpasswd
Require valid-user
require user StudentUser2
</FilesMatch>
Restrict by folders
<Location /student1>
Options Indexes
AuthType basic
AuthName "login info required"
AuthUserFile /etc/apache/.htpasswdstudent1
<RequireAll>
Require all granted
</RequireAll>
</Location>
You can even limit also by group
I use .htaccess to ask for credentials to access members only data. The .htaccess file is stored in one of the directories and protects everything in directories below it. The .htaccess file itself is very simple:
AuthName "Members Area"
AuthType Basic
AuthUserFile /home/xxxxx/public_html/xxx/data/.htpasswd
require valid-user
Problem is, when we moved to a new server (and built the new website within that directory using WordPress), the Authentication Box now comes up twice and requires users to enter the same correct login information both times.
I've read in other strings here about trailing /, but since I don't have a redirect or anything else in my .htaccess, I'm not quite sure what to do.
Anybody have any suggestions on a workaround or rewrite?
This is most likely because you're running an https redirect (or another redirect) inside another .htaccess file. So it is asking for the authentication once in http, and once in https. If you do this:
<If "%{HTTPS} == 'on'">
AuthType Basic
AuthName "Password Area"
AuthUserFile "/yourdirectory/.htpasswd"
<IfVersion >= 2.4>
AuthMerging And
</IfVersion>
Require valid-user
</If>
then it will only ask for the password once the redirect has happened. Otherwise, get rid of the second redirect.
I have a PHP/Apache application deployed to Heroku. I want to enable basic auth on this when running on Heroku. This worked well...
AuthUserFile /app/prototypes/.htpasswd
AuthType Basic
AuthName "Restricted Access"
Require valid-user
However, I want to only enable this if PASSWORD_PROTECTED is set. I set a heroku config var like so:
heroku config:set PASSWORD_PROTECTED=true
and then updated .htaccess to look like:
<IfDefine %{ENV:PASSWORD_PROTECTED}>
AuthUserFile /app/prototypes/.htpasswd
AuthType Basic
AuthName "Restricted Access"
Require valid-user
</IfDefine>
But the Require valid-user never gets run, so I don't seem to be able to access ENV vars from .htacess in Heroku or I am doing this wrong. Any thoughts on how to do this properly?
You're on the right track, but your syntax is a little off.
Rather than <IfDefine>, which lets you test for variables set with Define or via the -D parameter on startup, you should use the <If> directive. This was new in Apache 2.4, so examples are a little thin on the ground, but we can use those examples along with this rather technical expression reference to come up with this:
<If "-T reqenv('PASSWORD_PROTECTED')">
AuthUserFile /app/prototypes/.htpasswd
AuthType Basic
AuthName "Restricted Access"
Require valid-user
</If>
reqenv is a function that looks up an environment variable; -T is an operator that returns true unless its argument is empty, 0, "false", "off", or "no".
We have a PHP site:
site.com
We want all subpaths from the root to require basic authentication. e.g.
site.com - no authentication required
site.com/subpath requires authentication
We have this directive:
<LocationMatch "^/.+$">
AuthName "members Only"
AuthType Basic
AuthBasicProvider file
AuthUserFile /Applications/MAMP/conf/apache/extra/auth-pass-file
Require valid-user
</LocationMatch>
However it is asking for a password when we go to http://site.com/ or http://site.com.
Can someone suggest a solution so that authorization only is asked for sub paths?
<LocationMatch "^/.*/.+$"> should work. Your LocationMatch is actually selecting everything in the root directory, you need to go one level down.
We added specific directories to check (ones that exist) and created an error redirect when people tried to fish for non-existent pages.
Because authz rules are applied not only to the actually-requested /, but also to what that expands to -- such as /index.html
You need to allow that separately, unfortunately...
So rather than excluding one file from the entire authentication like I tried to here. I've just decided to add specific files to the authentication like this:
<Files ...>
</Files>
The thing is when it's like this:
<Files Available.php>
AuthType Basic
AuthName "Login"
AuthUserFile /disks/*/*/Folder/.htpasswd
Require valid-user
</Files>
It works in that it requires an authentication for the php. However when I put multiple files like this:
<Files Available.php,Insert.php,upload_file.php>
AuthType Basic
AuthName "Login"
AuthUserFile /disks/*/*/Folder/.htpasswd
Require valid-user
</Files>
It fails to require authentication for any of the files. Any ideas what I'm writing wrong syntactically? Also how do I require authentication for all sub-directories?
You can't put multiple file names in a directive. see for directive examples.
http://www.askapache.com/htaccess/using-filesmatch-and-files-in-htaccess.html
If you can't match the files with a wildcard, your best bet is to place them all in a subdirectory and use your authenication against that.
Your other option is to use php authenication with sessions (cookie or url based) and have the php files that require authentication check for a valid session before running.
I've written a fair number php based sites with authenicated admin and I always use a subdirectory and then ssl to make it more secure.