Can't password protect specific url in CodeIgniter - .htaccess

I need to protect a specific route/url with password on my codeigniter site.
Base url looks like this:
https://staging.mysite.com/site-name
I want to protect this url with a password using .htaccess
https://staging.mysite.com/site-name/export
Routes looks like this
$route['export']['get'] = 'ExportController/index';
$route['export']['post'] = 'ExportController/export';
I've tried many different answers for similar problems but I just can't get it to work properly,
either password is asked everywhere, or it isnt asked at all.
Here is my .htaccess
RewriteEngine on
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php/$1 [L,QSA]
</IfModule>
SetEnvIfNoCase Request_URI ^/export SECURED
AuthName "Restricted Area"
AuthType Basic
AuthUserFile "/home/something/path/to/.htpasswd"
AuthGroupFile /
Require valid-user
Satisfy any
Order Allow,Deny
Allow from all
Deny from env=SECURED
I think that the problem might be in this part:
SetEnvIfNoCase Request_URI ^/export SECURED
Because I just cant target the url I want, here is some other things I've tried
SetEnvIfNoCase Request_URI ^/site-name/export SECURED
SetEnvIfNoCase Request_URI "^/site-name/export" SECURED
SetEnvIfNoCase Request_URI "^/export" SECURED
SetEnvIfNoCase Request_URI ^(.*)/export SECURED
SetEnvIfNoCase Request_URI .*/export$ SECURED
SetEnvIfNoCase Request_URI .*/export SECURED
Edit:
I've also tried to protect the entire ExportController with like this, password prompt does not appear anywhere.
<Files ExportController>
AuthName "ExportController"
AuthType Basic
AuthUserFile "/home/something/path/to/.htpasswd"
require valid-user
</Files>

I ended up doing this:
<If "%{THE_REQUEST} =~ m#^GET /site-name/export#">
AuthType Basic
AuthName "Password Required"
AuthUserFile /home/path/to/.htpasswd
Require valid-user
</If>
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php/$1 [L,QSA]
</IfModule>

Related

Laravel 5.2 - Basic Auth using .htpasswd

I'm having trouble setting up a .htpasswd protected laravel project.
I tried adding the following to my .htaccess but it causes an internal server error (500) after I entered my credentials..
.htaccess content:
AuthUserFile .htpasswd
AuthType Basic
AuthName "Secured area"
Require valid-user
<IfModule mod_rewrite.c>
<IfModule mod_negotiation.c>
Options -MultiViews
</IfModule>
RewriteEngine On
# Redirect Trailing Slashes If Not A Folder...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/$ /$1 [L,R=301]
# Handle Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
# Handle Authorization Header
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
</IfModule>
And this is the current routes.php. Just in case it's something I should change in the routes.php:
Route::get('/', 'HomeController#index');
Route::auth();
Route::get('/home', 'HomeController#index');
I couldn't find anything useful on Google which still works under laravel 5.2 so I really hope someone out there has an idea :)
As #Olaf mentioned. changing this:
AuthUserFile .htpasswd
..into this:
AuthUserFile /absolute/server/path/.htpasswd
..did the trick. Thank you verry much!

cloudflare user-agent in htaccess

I got .htaccess blocking all user-agents and only allow one's i need
to allow cloudflare to access how can i allow not using (Mozilla)
this is what i got user-agent
Mozilla/5.0 (compatible; CloudFlare-AlwaysOnline/1.0; +http://www.cloudflare.com/always-online)
RewriteEngine on
AuthType Basic
AuthName "private"
AuthUserFile "/home/example/.htpasswds/public_html/exemple/passwd"
require valid-user
#-only allow-#
SetEnvIf User-Agent .0011 0011
Order deny,allow
Deny from all
Allow from env=0011
#-index only open for 0011-#
Options +Indexes
RewriteCond %{REQUEST_FILENAME} -d
RewriteCond %{HTTP_USER_AGENT} !0011 [NC]
RewriteRule . - [F]
You can use:
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} !CloudFlare-AlwaysOnline [NC]
RewriteRule ^ - [F]
But do not do that, because Cloudflare uses the name of the user's browser user-agents for all normal queries.

Protect subdirectory with .htaccess and .htpasswd

I have a directory memories and there is a subdirectory in it /memories/application/controllers/admin.
I want to protect admin directory using .htaccess and .htpasswd.
This is my .htaccess
<IfModule mod_rewrite.c>
RewriteEngine On
AuthUserFile /var/www/memories/application/controllers/admin/.htpasswd
AuthType Basic
AuthName "memories with mom"
Require admin
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?/$1 [L]
</IfModule>
<IfModule !mod_rewrite.c>
ErrorDocument 404 /index.php
</IfModule>
# Various security things
ServerSignature off
php_value expose_php Off
php_value session.cookie_httponly On
Options -Indexes
ErrorDocument 403 /404.php
But it is protecting the whole parent directory, whereas I only want the subdirectory admin to be protected. My .htpasswd is also in admin folder.
If you only want the subdirectory admin protected by the .htpasswd file then only put the auth specific htaccess code in that subdirectory and not the .htaccess for the whole site.
/var/www/memories/application/controllers/admin/.htaccess should only be
AuthUserFile /var/www/memories/application/controllers/admin/.htpasswd
AuthType Basic
AuthName "memories with mom"
Require admin
and remove the above code from your main .htaccess

CodeIgniter protect admin controller with .htaccess

I need to setup .htaccess rules in order to protect admin controller in CodeIgniter.
In .htaccess already have rules for friendly URLs like this:
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?/$1 [L]
How to add additional rules to protect all under /admin/ folder (controller) with Digest authentication?
I have tried various combinations but none works correct. Here are some rules which I tried just to get clues what I'm looking for:
# set an environtment variable "doauth" if the request starts with "/admin/"
SetEnvIf Request_URI ^/admin/ doauth=1
AuthType Digest
AuthName "Admin Protected Area"
AuthUserFile /hta/.htdigest
# Here is where we allow/deny
Order Allow,Deny
Allow from all
Require valid-user
Deny from env=doauth
Satisfy any
Try this code for controlling access to your admin controller:
SetEnvIfNoCase Request_URI "^/admin/" doauth
AuthType Digest
AuthName "Admin Protected Area"
AuthUserFile /hta/.htdigest
Require valid-user
Satisfy any
Order allow,deny
Allow from all
Deny from env=doauth

Excluding single directory under protected Wordpress site from htpasswd protection

Despite a good deal of searching here I haven't been able to find the solution to this problem.
I have an .htaccess file that is protecting a Wordpress site that I am developing. I would like to protect the entire site except for the directory /images/, but I can't work out how to do this. At the moment my .htaccess file, in the root of the site, looks like this:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
# basic password protection
<IfModule mod_authn_file.c>
AuthUserFile /home/*****/.htpasswd
AuthName "Username and password required"
AuthType Basic
<Limit GET POST>
Require valid-user
</Limit>
</IfModule>
Could someone help me to amend this to allow open access to the /images/ directory?
Thanks,
Nick
You can create a new .htaccess-file in the /images/-directory:
Order Deny,Allow
Allow from all
Satisfy any
This should remove the password protection for this folder.

Resources