I have an error document (symlink actually) in a protected directory. I want to use my custom error page but the 401 error isn't working due to it being a private directory. How can I solve this?
Here's my .htaccess right now
ErrorDocument 401 /error.php
AuthType Basic
AuthName "restricted"
AuthUserFile /home1/user/public_html/.htpasswd
require valid-user
I fixed this by adding this to my .htaccess
SetEnvIf Request_URI "^/error.php$" allow_all
Order allow,deny
Allow from env=allow_all
Satisfy any
Related
We are doing some major work on our site and we want to restrict access to all files except a maintenance page. We want all users to be directed to that page if the cancel or fail the authorization request.
ErrorDocument 401 /home/user/public_html/maintenance.html
ErrorDocument 403 /home/user/public_html/maintenance.html
<FilesMatch ^>
AuthName "Authorized Only"
AuthType Basic
AuthUserFile .htpasswd
require valid-user
</FilesMatch>
<Files "/home/user/public_html/maintenance.html">
Allow from all
</Files>
This code doesn't seem to work, users are sent to a page saying:
Unauthorized
This server could not verify that you are authorized to access the document requested.
Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't
understand how to supply the credentials required.
Additionally, a 401 Unauthorized error was encountered while trying to use an ErrorDocument
to handle the request.
There are a number of issues with the code you posted:
<Files "/home/user/public_html/maintenance.html">
The <Files> directive matches file basenames only, not the entire filesystem path. eg. just maintenance.html. So, the above will never be successful.
ErrorDocument 401 /home/user/public_html/maintenance.html
The ErrorDocument takes a root-relative URL-path, not an absolute filesystem path. eg. /maintenance.html.
AuthUserFile .htpasswd
However, the argument to the AuthUserFile directives should be an absolute filesystem path, not a relative path as given above. (A relative path is technically valid, but it's relative to the ServerRoot and you probably don't have access to put files directly in the server root! That's the ServerRoot as defined in the Apache config, not the root directory of your server.)
Solution
Instead of using a separate <Files> container to "allow" access, you can use a negative lookahead to exclude that particular file from triggering the password prompt.
For example:
ErrorDocument 401 /maintenance.html
<FilesMatch "^(?!maintenance\.html$).*">
AuthName "Authorized Only"
AuthType Basic
AuthUserFile /absolute/filesystem/path/to/.htpasswd
Require valid-user
</FilesMatch>
I know that the question has been asked here : htaccess exclude multiple url from Basic Auth but in the answer I didn't find the solution my problem so I reask here.
I want to block access to the root of a project in with htpasswd except for api url (it's not an existing folder but an endpoint controlled by index.php).
So far here is what I use for the htaccess :
<Location />
AuthType Basic
AuthName "Auth Required"
AuthUserFile /home/user/.htpasswd
Require valid-user
SetEnvIf Request_URI "(api|oauth)$" allow
Order allow,deny
Allow from env=allow
Satisfy any
</Location>
=> the htpasswd works but it blocks /api/xxx too.
Can somebody help me to correct that ?
You can use it like this:
SetEnvIf Request_URI "/(api|oauth)(/.*)?$" allow
AuthType Basic
AuthName "Auth Required"
AuthUserFile /home/user/.htpasswd
Require valid-user
Satisfy any
Order deny,allow
Deny from all
Allow from env=allow
Also note that the <Location> directive is not allowed in .htaccess.
I have a shared hosting server where each subdomain is in its folder in root. The www.domain.com is in the /www folder, the subdomain.domain.com subdomain is in the /subdomain folder, etc.
What I want right now, is to restrict access to subdomain.domain.com with a .htaccess password, but show a customized message for users who don't have a password. And I can't get Apache2 to read the 401 error document. I have found some common troubleshooting saying that the file has to be readable, which in my case it definitely is.
So, the only two places where I can put the auth file in this configuration, since /subdomain is protected, is either under the /www folder, or in the root (like /401.html), which I have no idea if it makes any difference. But in both cases, those are folders obviously readable by Apache2, because I am using them, I am using the other (main) domain for PHP scripts, and I am getting error logs in the root, the file permissions are the same as on the 404 document (which works), and the owner is the same.
And I don't think my hoster is disabling me from using custom 401 error documents (I am already successfully using custom 404 and 500 documents), because only when I try to specify a 401 document, I get an additional row in my error output that says Additionally, a 401 Authorization Required error was encountered while trying to use an ErrorDocument to handle the request.. As if it's trying to do it, but there is something else in the way.
What could it be, and what should I try?
EDIT:
This is the contents of the .htaccess file:
Options +Indexes +FollowSymLinks
RewriteEngine On
RewriteRule ^([^\.]+)$ index.php?data=$1 [QSA,L]
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /subdomain/.htpasswd
AuthGroupFile /dev/null
require valid-user
ErrorDocument 404 /tpl/errors/404.php
ErrorDocument 500 /tpl/errors/500.php
ErrorDocument 401 /auth_alpha.html
And what I'm noticing right now pasting this, is that my 404 messages are an absolute path starting with the http address, not the root of the file system, which means that if I start the 401 error document with a /, it will try to read it from the same domain? Which makes little sense to me, because it should be an Apache2 directive, not a browser directive, right? Anyway, when I tried putting ../auth_alpha.html instead of /auth_alpha.html, then the browser outputs ONLY the string ../auth_alpha.html on the page.
You need to exclude ErrorDocument URLs from authentication:
ErrorDocument 404 /tpl/errors/404.php
ErrorDocument 500 /tpl/errors/500.php
ErrorDocument 401 /auth_alpha.html
Options +Indexes +FollowSymLinks
RewriteEngine On
RewriteRule ^([^.]+)/?$ index.php?data=$1 [QSA,L]
SetEnvIfNoCase Request_URI ^/(auth_alpha\.html$|tpl/errors/) NO_AUTH
# force auth for everything except ErrorDocument URLs
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /subdomain/.htpasswd
AuthGroupFile /dev/null
Require valid-user
Satisfy any
Order deny,allow
Deny from all
Allow from env=NO_AUTH
I have .htaccess file which is using on multiple domains.
Now I have part of this code which I must run only on my development site.
Is it possible to put if / else statement in .htaccess file?
This is part of code which I must run only on dev. site
AuthType Basic
AuthName "Login required"
AuthUserFile "/var/www/dev.mysite.com/.htpasswd"
ErrorDocument 401 default
<Files "login.php">
require valid-user
</Files>
I have written a .htaccess file and I am able to authenticate a the username and password correctly. But when I click cancel during the htaccess authentication, I get an "Access Error - Unauthorized" or a server error message.
firstly I am not sure what the error code is. I tried the following
ErrorDocument 400 /400.html
I also tried with the error codes 401, 403, 404, 500 but still that error persists.
My htacess file looks like this.. I have used the < files > tag to enforce the authentication for different html files.
AuthType Basic
AuthName "prompt"
AuthUserFile /.htpasswd
Require user mike
Do I need to place the "ErrorDocument" for every html file that I am trying to protect or just one "ErrorDocument" statement at the end would suffice for all the files that I am trying to protect..?
There are two rules you may have forgotten.
The error page itself must not be protected by .htaccess. It must be reachable.
The path to the ErrorDocument files counts from document root.
If you obey the rules, the code works (just tested it). This is what my sucessfull test involved:
Files:
/protected/.htaccess
/protected/.htpasswd
/401.php
.htaccess
ErrorDocument 401 /401.php
AuthType Basic
AuthName "My Protected Area"
AuthUserFile protected/.htpasswd
Require valid-user