Password protect whole site but keep one file accessible from localhost - .htaccess

I would like to allow access to authorized users. This works. More, I would like to allow access to cron.php file from localhost.
Also calling cron.php from server using wget --debug - https://example.com/cron.php , I get 401 unauthorized error.
This is what I have in htaccess file:
AuthType Basic
AuthName "Password Protected Area"
AuthUserFile path to.htpasswd
Require valid-user
<Files "cron.php">
Order deny,allow
Deny from all
Allow from localhost
Allow from 127.0.0.1
</Files>

Related

.htaccess allow subfiles but not auto index or index.html

I have a sub-directory that I wan't to deny access using htaccess password protection with but allow all other files within this to be directly accessable, eg:
www.mydomain.com/images <- Password Protected
www.mydomain.com/images/index.html <- Password Protected
www.mydomain.com/images/img1.png <- Not Protected
Current .htaccess:
AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /path/to/.htpassword
<Files "index.html">
Require valid-user
</Files>
This currently password protects /images/index.html and allows me to access /images/img1.png
But it does deny access to /images but doesn't bring up the box to allow me to enter my details it just loads with 401 Unauthorized, how do I resolve this?
You can have these directives in /images/.htaccess to get your job done:
SetEnvIfNoCase Request_URI "^/images/(index\.html)?$" PROTECTED
AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /path/to/.htpassword
Require valid-user
Order allow,deny
allow from all
deny from env=PROTECTED
Satisfy any
Regex ^/images/(index\.php)?$ will set env var PROTECTED for /images/ and /images/index.html.
Make sure to test with only these directives in /images/.htaccess

Restrict access to root folder htpasswd except api url

I know that the question has been asked here : htaccess exclude multiple url from Basic Auth but in the answer I didn't find the solution my problem so I reask here.
I want to block access to the root of a project in with htpasswd except for api url (it's not an existing folder but an endpoint controlled by index.php).
So far here is what I use for the htaccess :
<Location />
AuthType Basic
AuthName "Auth Required"
AuthUserFile /home/user/.htpasswd
Require valid-user
SetEnvIf Request_URI "(api|oauth)$" allow
Order allow,deny
Allow from env=allow
Satisfy any
</Location>
=> the htpasswd works but it blocks /api/xxx too.
Can somebody help me to correct that ?
You can use it like this:
SetEnvIf Request_URI "/(api|oauth)(/.*)?$" allow
AuthType Basic
AuthName "Auth Required"
AuthUserFile /home/user/.htpasswd
Require valid-user
Satisfy any
Order deny,allow
Deny from all
Allow from env=allow
Also note that the <Location> directive is not allowed in .htaccess.

.htaccess login exclude one file and ip. For a whole server

I've seen numerous topics. with .htaccess excluding files or IP's but I just can't seem to fit it together.
I want to lock down our development server for the outside world. All (sub)domains on this server should be handled with one file.
All visitors (clients) have to login
Except inside our office
Allow 1 file for everybody. Because someone used it as the source of an email signature...
I can get 2 out of 3 to work but not a combination of all 3.
This .htaccess is located in /home/user/domains/.htaccess
Individual websites also have their own .htaccess in their webroot /home/user/domains/example.com/public_html/.htaccess these websites are mostly WordPress or Magento. And so are there .htacess files
Overview of the structure
/home/user/.htaccess #the file I've put the code.
/home/user/domains/wordpress.example.com/public_html/.htaccess
/home/user/domains/magento.example.com/public_html/.htaccess
/home/user/domains/example.com/public_html/.htaccess
/home/user/domains/anotherwp.example.com/public_html/.htaccess
The file I use
AuthName "You shall not pass"
AuthUserFile /home/user/domains/.htpasswd
AuthType Basic
Require valid-user
Order Deny,Allow
#doens't work for some reason
Allow from xxx.xxx.xxx.xxx #Office IP
#This execption is here because some smartass included this in an email signature
<Files "email_logo.jpg">
Allow from all
Satisfy any
</Files>
Who can help me out?
Here is how you can do all 3 requirements using mod_setnenvif:
SetEnvIf Remote_Addr ^192\.168\.0\. ALLOWED
SetEnvIfNoCase Request_URI "email_logo\.jpg" ALLOWED
AuthName "You shall not pass"
AuthUserFile /home/user/domains/.htpasswd
AuthType Basic
Require valid-user
Satisfy any
Order deny,allow
Deny from All
Allow from env=ALLOWED

htaccess authentication by user and ip with an exception for a special file

I want to do access-control for some files on an apache2-webserver (2.2.9(Debian)) depending on the the remote-ip and the a supplied username using a htaccess-file.
Rules:
All users from localhost have access to all files and should never be asked to authenticate themselves.
Users from a remote-host have to authenticate themselves via http-basic authentication. They also have access to all files apart from a single file, which should not be visible to them.
My htaccess-file posted below allows remote-users to login und forbids access to adm.php. Unfortunately the localhost user needs to enter a password. What do I need to change in order to let a local user access adm.php without a password dialog popping up?
AuthType Basic
Authname "Test-App"
AuthUserFile /etc/web_passwd
Require valid-user
Order Deny,Allow
Allow from 127.0.0.1
Deny from all
Satisfy Any
<Files adm.php>
Order Deny,Allow
Allow from 127.0.0.1
Deny from all
Satisfy all
</Files>
Enable mod_setenvif and then use the code below in your $DOCUMENT_ROOT/.htaccess:
<Files "adm.php">
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Satisfy all
</Files>
<FilesMatch "(?!^adm\.php)^.*$">
AuthType Basic
Authname "Test-App"
AuthUserFile /etc/web_passwd
Require valid-user
Order deny,allow
Deny from all
Allow from 127.0.0.1
Satisfy any
</FilesMatch>

htaccess auth and deny together

I want to deny all request to the server except some ip's , but those ip's should show the auth dialog. What I have tried is
order deny,allow
deny from all
allow from xxx.xxx.xx.xxx
allow from xxx.xxx.xx.xxx
AuthUserFile /path/to/.htpasswd
AuthType Basic
AuthName "Login Required"
Require valid-user
It works fine , but after user login it showing Internal server error(500). Any idea ?
This usually happens when there's something wrong with the AuthUserFile parameter. You can put any random path in your AuthUserFile and apache will be willing to go along with the 401 require auth part just fine. But when it needs to verify the authorization given to it (in your case, via a BASIC mechanism) it needs to actually check the contents of the file, /path/to/.htpasswd. Make sure that you have the correct path to this file and that it contains actual htpasswd data, generated using the htpasswd command or something equivalent.
This is working fine ;-)
order deny,allow
deny from all
deny from all
allow from xx.xx.xx.xx
AuthUserFile /path/to/.htpasswd
AuthType Basic
AuthName "Login Required"
Require valid-user

Resources