Cannot exclude route from http basic auth - .htaccess

I am trying to exclude a specific route from http basic authentication.
My .htaccess looks like this:
# Set an environment variable if requesting /dev
SetEnvIfNoCase Request_URI ^/dev/? DONT_NEED_AUTH=true
# Require authentication
AuthUserFile /etc/users
AuthName "This is a protected area"
AuthGroupFile /dev/null
AuthType Basic
# Set the allow/deny order
Order Deny,Allow
# Indicate that any of the following will satisfy the Deny/Allow
Satisfy any
# First off, deny from all
Deny from all
# Allow outright if this environment variable is set
Allow from env=DONT_NEED_AUTH
# or require a valid user
Require valid-user
# Rewrite url (make it pretty)
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([^?]*)$ index.php?path=$1 [NC,L,QSA]
If I use that exact same .htaccess http authentication is removed for route "/dev", so this works as expected, however the problem is that I want password protection for route "/dev", but I want to remove password protection for route "/dev/guest".
I have tried changing to the following:
SetEnvIfNoCase Request_URI ^/dev/guest/? DONT_NEED_AUTH=true
and with escaping the slash in the middle:
SetEnvIfNoCase Request_URI ^/dev\/guest/? DONT_NEED_AUTH=true
but none of those two options are working, all routes are password protected again.
also, since the route is rewritten the actual url I want to allow is "dev/index.php?path=guest" but I am not sure if I should care about that since part of that is the query string, and a end-user will never use that route directly.
Any help is highly appreciated.

Finally found a working solution.
Used this:
SetEnvIf Request_URI /dev/guest noauth=1
<RequireAny>
Require env noauth
Require env REDIRECT_noauth
Require valid-user
</RequireAny>

Related

.htaccess disable password protection if certain get parameter is set to certain value

We try to disable our password protection for internal use. Therefore we'd like to be able to add a parameter to the url which does this. We know that everybody who knows this parameter will have access to the directory. Now what we've tried so far:
RewriteEngine On
# Do the regex check against the URI here, if match, set the "require_auth" var
RewriteCond %{QUERY_STRING} !^$
RewriteRule (.*auth=mysecurehash.*) $1 [E=require_auth:false]
#Auth stuff
AuthType Basic
AuthUserFile /.htpasswd
AuthName "Enter Username and Password"
# Setup a deny/allow
Order Deny,Allow
# Deny from everyone
Deny from all
# except if either of these are satisfied
Satisfy any
# 1. a valid authenticated user
Require valid-user
# or 2. the "require_auth" var is NOT set
Allow from env=!require_auth
This should disable auth for anydir/anfile.any?auth=mysecurehash
but unfortunately it doesn't.
Actually everybody does have acces now - without password.
What are we missing?
Replace your rule with the following
RewriteCond %{QUERY_STRING} auth=mysecurehash [NC]
RewriteRule ^ - [E=require_auth:false]
FYI , query strings are not part of match in RewriteRule directive, we need to use a RewriteCond to match againgst urls with querystrings.
Try the following :
RewriteEngine on
RewriteCond %{QUERY_STRING} auth=mysecurehash [NC]
RewriteRule ^ - [E=require_auth:false]
#Auth stuff
AuthType Basic
AuthUserFile /.htpasswd
AuthName "Enter Username and Password"
#Here is where we allow/deny
Order Deny,Allow
Satisfy any
Deny from all
Require valid-user
Allow from env=require_auth
With 2.4 you can do it with easy by <If> directive.
For 2.2 you can try to redirect all requests without/without param to specific virtual URL and than use
SetEnvIf Request_URI ^/virturl.html require_auth=false
and then
Order Deny,Allow
Deny from all
Satisfy any
Require valid-user
Allow from env=!require_auth
something like that

Redirect all IP but mine + protect with password

I've a live website and due to maintenance I want to redirect all IP but mine and another one. I want also that every PC from the two enabled IP has to login to see the website. How can I have both things working at the same time?
To redirect all IP I'll add this to.htacces:
RewriteEngine On
RewriteBase /
RewriteCond %{REMOTE_HOST} !^1.2.3.4
RewriteRule .* http://www.anothersite.com [R=302,L]
Source: http://kb.siteground.com/how_to_redirect_all_visitors_except_your_ip_to_another_site/
But how can I protect everything also with password, in a way that users IP are redirected to anothersite.com? Also, how can I allow multiple IP? Add them with commas?
You can have a workaround like this
SetEnvIfNoCase REMOTE_ADDR "^(?:x\.x\.x\.x|x\.x\.x\.x)$" GET_AUTH=1
RewriteEngine On
RewriteCond %{ENV:GET_AUTH} !1
RewriteRule ^ - [R=503,L]
AuthType Basic
AuthName "Forbidden"
AuthUserFile /path/to/.htpasswd
Require valid-user
Satisfy any
Order allow,deny
Allow from all
Deny from env=GET_AUTH
This code will redirect any other IP but yours and the other one (with a HTTP 503 error: maintenance specific and google friendly).
Otherwise, you have the authentication process.

Combine basic auth and redirect in .htaccess?

Following situation:
I wish to redirect all IP adresses (but NOT two fixed ones) if accessing the www.mydomain.tld/SubFolder1/ on my apache to www.mydomain.tld
Offen basic authentication for the www.mydomain.tld/SubFolder1/ with differen usernames
any idea how to do that?
I tried to use one htaccess file where i added some redirection rules and the basic auth stuff. But I never got the redirection rules to work correctly. Seamed the auth stuff is overwriting the redirection rules. Could that be?
I use the following code for the Authentication
AuthName "Restricted"
AuthType Basic
AuthUserFile //is/htdocs/www/subfolder1/.htpasswd
AuthGroupFile /dev/null
require valid-user
You can use this code in your DOCUMENT_ROOT/SubFolder1/.htaccess file:
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^(192\.168\.0\.10|192\.168\.0\.20)$
RewriteRule ^$ http://www.mydomain.tld/ [L,R]
SetEnvIf Remote_Addr ^(192\.168\.0\.10|192\.168\.0\.20)$ DOAUTH
AuthName "Restricted"
AuthType Basic
AuthUserFile //is/htdocs/www/subfolder1/.htpasswd
AuthGroupFile /dev/null
require valid-user
Satisfy any
Order allow,deny
Allow from all
Deny from env=DOAUTH
SetEnvIf is needed because mod_auth runs before mod_rewrite hence env set by mod_rewrite cannot be used mod_auth.

SetEnvIf not working on specific URL

I've got a password protected site, and I'm trying to allow a specific URL through so that it works for a Payment callback. The site is built using CakePHP.
The below works great however the Allow from env=allow is just not being taken into account (I've tried with my own IP address too). The setenvif mod is enabled in Apache and the other "Allow from" lines work fine. FYI it's running on Ubuntu on EC2. I've also searched on the site for similar issues and solutions but to no avail.
I've checked the $_SERVER global array in PHP for the "allow" environment variable and it exists so running out of ideas. Any help would be much appreciated!
SetEnvIf Request_URI ^/secure_trading/callback allow=1
SetEnvIf Request_URI ^/secure_trading/callback$ allow=1
SetEnvIf Request_URI "/secure_trading/callback" allow=1
SetEnvIf Request_URI "/app/weboot/secure_trading/callback" allow=1
AuthName "Protected"
AuthGroupFile /dev/null
AuthType Basic
AuthUserFile /var/www/domain.co.uk/.htpasswd
Order deny,allow
Satisfy Any
Deny from all
Allow from 127.0.0.1
Allow from env=allow
require valid-user
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^$ app/webroot/ [L]
RewriteRule (.*) app/webroot/$1 [L]
</IfModule>

HTTP Digest authentication fails with Ajax requests

Apologies if this should be on ServerFault, please move/vote to move if necessary.
I have come across a problem with a .htpasswd file whereby
Accessing a page normally requests a username and password as expected
I can then browse the site as expected and navigate through pages without authentication being requested on each page load.
Accessing a page on the same server, same base URL, using the same protocol but using AJAX re-requests authentication.
If I then authenticate, the AJAX request is successful, but the authentication on the main browser window is no longer valid and therefore the next refresh requests authentication.
This only happens on one vhost of many on the server, all of which use the same .htpasswd file. The Request for authentication is in the global Apache config file, and not specific to a vhost.
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
AuthUserFile /var/www/private/.htpasswd
AuthGroupFile /dev/null
AuthName "My Private Directory"
AuthType Basic
<Limit GET POST>
require valid-user
</Limit>
</Directory>
The .htaccess file in the only vhost in which it does not work is as follows. Nothing special which should affect it.
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} !.*\.(gif|png|jpe?g|ico|swf)$ [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?/=$1 [L,QSA]
</IfModule>
My question therefore is why do AJAX requests require a user to authenticate again?

Resources