.htaccess allow subfiles but not auto index or index.html - .htaccess

I have a sub-directory that I wan't to deny access using htaccess password protection with but allow all other files within this to be directly accessable, eg:
www.mydomain.com/images <- Password Protected
www.mydomain.com/images/index.html <- Password Protected
www.mydomain.com/images/img1.png <- Not Protected
Current .htaccess:
AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /path/to/.htpassword
<Files "index.html">
Require valid-user
</Files>
This currently password protects /images/index.html and allows me to access /images/img1.png
But it does deny access to /images but doesn't bring up the box to allow me to enter my details it just loads with 401 Unauthorized, how do I resolve this?

You can have these directives in /images/.htaccess to get your job done:
SetEnvIfNoCase Request_URI "^/images/(index\.html)?$" PROTECTED
AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /path/to/.htpassword
Require valid-user
Order allow,deny
allow from all
deny from env=PROTECTED
Satisfy any
Regex ^/images/(index\.php)?$ will set env var PROTECTED for /images/ and /images/index.html.
Make sure to test with only these directives in /images/.htaccess

Related

Apache Configuration: How to deny from env=protected but allow from env=errorhandler?

I've written this .htaccess configuration, which works:
SetEnvIfNoCase Host ^staging\. protected
SetEnvIfNoCase Host ^dev\. protected
AuthType basic
AuthName "Protected"
AuthUserFile "/path/to/.htpasswd"
Order deny,allow
deny from env=protected
Require valid-user
Satisfy any
It checks if hostname starts with "staging." or "dev." and set the environment variable "protected". If it is set, the browser will ask for the password. If not, no access restriction takes affect. This is the expected behaviour.
Unfortunately the CMS I am working with does an own HTTP request from localhost to fetch the error page internally, if a 404-error occures. But the server itself is not authenticated, so this fails.
I was able to set another environment variable like this:
SetEnvIfNoCase Request_URI "404$" errorhandler
But it has no effect, even if I change the last block like this
Order allow,deny
allow from env=errorhandler
deny from env=protected
Require valid-user
Satisfy any
What do I need to change, to ask for password if env=proctected is set, but skip the password, if env=errorhandler is set, too? Thanks.
Try these directives:
SetEnvIfNoCase Host ^(dev|staging)\. protected
SetEnvIfNoCase Request_URI 404 !protected
AuthType basic
AuthName "Protected"
AuthUserFile "/path/to/.htpasswd"
Require valid-user
Satisfy any
Order allow,deny
allow from all
deny from env=protected

Multiple authentications in one website with htaccess

I have a secured website. The complete website is secured so, regardless of the page you ask, you have to enter the user/password.
I did this with this code in the htaccess
AuthUserFile /path/.htpass
AuthType Basic
AuthName "Website"
Require valid-user
Now, i want to add another authentification for a specific url. So i tried this :
SetEnvIf Request_URI ^/myurl require_auth=true
AuthUserFile /path/.htpmyrul
AuthName "Myurl"
AuthType Basic
Order Deny,Allow
Deny from all
Satisfy any
Require valid-user
Allow from env=!require_auth
It worked for myurl, but the problem is that this code "cancelled" the first code! So now, my website only ask for authentification when i visit myurl, but if i visit any other url, the website doesn't ask for authentification
Is it possible to have both authentifications work together ?
Thanks
Well you could do this.
In the main root of your htaccess file put this.
SetEnvIf Request_URI "/myurl" require_auth
AuthUserFile /path/to/.htpasswd
AuthName "Webiste"
AuthType Basic
Require valid-user
Order Deny,Allow
Deny from all
Allow from env=require_auth
Satisfy any
Then create a htaccess file inside myurl folder and put this example inside it.
AuthUserFile /path/to/other/.htpasswd
AuthName "myurl"
AuthType Basic
Require valid-user
Order Deny,Allow
Deny from all
Satisfy any
This should allow you to use another htpasswd for your sub folder.

magento .htaccess password protect inner pages (not homepage)

I would like to use .htaccess to password protect all inner pages of Magento, except the home page. e.g.
http://www.example.com/abc (password protect)
http://www.example.com (home page, no need to password protect)
I tried to use the setifenv request_uri = "/" => allow, but didn't work. It still password protect all pages including the homepage.
I also tried a few ways inside the Magento admin URL rewrite, but those won't work either.
Any expert can help? thx
E
Assuming you're using apache:
SetEnvIfNoCase Request_URI ^/index.html$ norequire_auth=true
SetEnvIfNoCase Request_URI ^/$ norequire_auth=true
# Auth stuff
AuthUserFile /var/www/htpasswd
AuthName "Password Protected"
AuthType Basic
# Setup a deny/allow
Order Deny,Allow
# Deny from everyone
Deny from all
# except if either of these are satisfied
Satisfy any
# 1. a valid authenticated user
Require valid-user
# or 2. the "require_auth" var is NOT set
Allow from env=norequire_auth
Add below code to your root htaccess file and don't forget to change your admin url, .htpasswd file page.
<Files "admin">
AuthName "Cron auth"
AuthUserFile E:\wamp\www\magento\.htpasswd
AuthType basic
Require valid-user
</Files>
Create .htpasswd file in your root folder and add below username and password (set default username:admin and password: admin123)
admin:$apr1$8.nTvE4f$UirPOK.PQqqfghwANLY47.
Please let me know if you still facing any issue.

How can I specify the htaccess to match all files except index.html?

I have the following code for authentication where if the url is is not index.html, display the authenticatio form
<files "(?!index.html)">
AuthUserFile C:/wamp/www/eyedream/trunk/www/.htpasswd
AuthName "Please login"
AuthType Basic
Require valid-user
</files>
How can I specify if the file is not index.html,display the authentication box?
You can't use the Auth directives inside a <Files> block, it's got to be inside a <Directory> or in an .htaccess file. You can set an environment variable and use Satisfy Any to bypass the authentication for certain requests though:
SetEnvIfNoCase Request_URI ^/index.html$ norequire_auth=true
SetEnvIfNoCase Request_URI ^/$ norequire_auth=true
# Auth stuff
AuthUserFile C:/wamp/www/eyedream/trunk/www/.htpasswd
AuthName "Please login"
AuthType Basic
# Setup a deny/allow
Order Deny,Allow
# Deny from everyone
Deny from all
# except if either of these are satisfied
Satisfy any
# 1. a valid authenticated user
Require valid-user
# or 2. the "require_auth" var is NOT set
Allow from env=norequire_auth

.htaccess deny access to all except to one file

How can I deny access to a complete folder and sub-folders, with the exception of one file?
That file is: toon.php and resides in the same folder.
Order Allow,Deny
<FilesMatch "^toon\.php$">
Allow from all
</FilesMatch>
That is probably the most efficient that you can get.
AuthGroupFile /dev/null
AuthName "Private Area"
AuthType Basic
AuthUserFile .htpasswd
require valid-user
<Files "toon.php">
Allow from all
Satisfy Any
</Files>
Works for me. Dont' forget to configure the .htpasswd file.
Deny From All
<FilesMatch "^toon\.php$">
Allow From All
</FilesMatch>
Worked for me...
You may want to use the <Directory> and <Files> directives. You can look at the documentation here:
http://httpd.apache.org/docs/1.3/mod/core.html#directory
http://httpd.apache.org/docs/1.3/mod/core.html#files
In short, you want something like this:
<Directory /folder/without/access >
Order Deny,Allow
Deny from All
</Directory>
<Files "filename">
Order Deny,Allow
Allow from All
</Files>
If, like me, you're looking for a way to have authentication on an entire site/folder except for a single file, you will find that this method is working very well:
#allows a single uri through the .htaccess password protection
SetEnvIf Request_URI "/testing_uri$" test_uri
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /path/to/your/.htpasswd
AuthGroupFile /
Require valid-user
#Allow valid-user
Deny from all
Allow from env=test_uri
Satisfy any
Example taken from : this site
Add the following rule to htaccess file in root
RewriteEngine on
RewriteRule !toon\.php$ - [F]
This will deny access to all files and folders except toon.php .
There is a related scenario in WordPress admin where you may want to limit the access to specific IPs, but leave access for some specific files used by plugins:
## /wp-admin/.htaccess ##
Deny from all
allow from 88.222.123.88 #Home
allow from 88.111.211.77 #Office
<Files "admin-ajax.php">
Allow from All
</Files>
WordPress-specific configuration for Private Area using HTTP password:
AuthName "Private Area"
AuthType Basic
AuthUserFile .htpasswd
require valid-user
<Files "admin-ajax.php">
Allow from all
Satisfy Any
</Files>

Resources