I am using AuthType Basic to restrict access to a test environment. There's nothing sensitive there -it's just to keep spiders away.
I'd like to test a Webhook and to do so I need to expose a single page.
The start of my .htaccess follows:
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /var/www/some_domain_dot_com/public_html/.htpasswd
AuthGroupFile /dev/null
require valid-user
It is after this that the RewriteRules are in place so I don't think I can redirect for this specific page request.
How to I tell .htaccess not to request authentication for a single page only?
Related
I have the following code in my .htaccess file
AuthUserFile ./.htpasswd
AuthGroupFile /dev/null
AuthName "Dev Area One"
AuthType Basic
<Limit GET>
require valid-user
</Limit>
This causes a 500 internal server error because Apache says it can't find the file /etc/apache2/.htpasswd. That's because the .htpasswd is in the directory /var/www/html/dev1.staging.com/public_html/.htpasswd and my .htaccess is in /var/www/html/dev1.staging.com/public_html/.htaccess.
Can I replace AuthUserFile ./.htpasswd with AuthUserFile SOMEVARIABLE+.htpasswd so that every time other team members do a git pull origin master to their dev servers, the .htaccess will properly reference the .htpasswd which should be in the same directory as the .htaccess?
This is purely for development purposes only. There are some servers (some of which are shared hosting) where we do not have file writing access to, so we don't know immediately what directory our web projects are served out of, so we don't know ahead of time the absolute directory path to the .htpasswd.
You can use shell environment variable in path to AuthUserFile by using PassEnv directive:
PassEnv HOME
AuthUserFile ${HOME}/.htpasswd
AuthGroupFile /dev/null
AuthName "Dev Area One"
AuthType Basic
<Limit GET>
require valid-user
</Limit>
Above snippet will work only if each user stores .htpasswd directly under $HOME directory.
i have this htaccess :
AuthType Basic
AuthName " Vip User Only
AuthBasicProvider file
AuthUserFile c:\inetpub\htpasswd
Require valid-user
<FilesMatch ".(jpg|gif|png|tiff|jpeg|html)$">
Allow from any
Satisfy any
</FilesMatch>
i want to remotely read htpasswd from another server ?
e.g : this htpasswd is in Server A and i want too use htaccess in Server B with Server A's htpasswd !
is this possible ?
See the documentation of AuthUserFile
File-path is the path to the user file.
There's no mention of URI anywhere. To the contrary, it advises (rightly!) to make the file inaccessible from the web
Security
Make sure that the AuthUserFile is stored outside the document tree of the web-server. Do not put it in the directory that it protects. Otherwise, clients may be able to download the AuthUserFile.
Otherwise anybody could download the file, and crack all your passwords.
I have a single site, which I want to protect. It's /phpinfo on the website.
There are several redirects. My apache file looks like this:
RewriteEngine On
... A list of RewriteRules
RewriteRule ^(phpinfo)$ index.php?controller=$1
index.php takes controller as an argument and includes the specific site that is viewed.
I use basic authentication like this on several places already, which works fine:
AuthUserFile /var/www/....../.htpasswd
AuthGroupFile /dev/null
AuthName "Protected content"
AuthType Basic
<Limit GET>
require valid-user
</Limit>
But, the question is how can I limit this basic authentication to /phpinfo on the server, so only this site is protected? Ideally the AuthUserFile points to a relative directory so I can deploy this on the live server without needing to change this path.
A solution using PHP and not htaccess. It's simple yet effective.
if (!isset($_SERVER['PHP_AUTH_USER']) || $_SERVER['PHP_AUTH_USER'] != Config::AdminUser || $_SERVER['PHP_AUTH_PW'] != Config::AdminPassword)
{
header('WWW-Authenticate: Basic realm="Protected content"');
header('HTTP/1.0 401 Unauthorized');
die('Protected content');
}
I have a secured website. The complete website is secured so, regardless of the page you ask, you have to enter the user/password.
I did this with this code in the htaccess
AuthUserFile /path/.htpass
AuthType Basic
AuthName "Website"
Require valid-user
Now, i want to add another authentification for a specific url. So i tried this :
SetEnvIf Request_URI ^/myurl require_auth=true
AuthUserFile /path/.htpmyrul
AuthName "Myurl"
AuthType Basic
Order Deny,Allow
Deny from all
Satisfy any
Require valid-user
Allow from env=!require_auth
It worked for myurl, but the problem is that this code "cancelled" the first code! So now, my website only ask for authentification when i visit myurl, but if i visit any other url, the website doesn't ask for authentification
Is it possible to have both authentifications work together ?
Thanks
Well you could do this.
In the main root of your htaccess file put this.
SetEnvIf Request_URI "/myurl" require_auth
AuthUserFile /path/to/.htpasswd
AuthName "Webiste"
AuthType Basic
Require valid-user
Order Deny,Allow
Deny from all
Allow from env=require_auth
Satisfy any
Then create a htaccess file inside myurl folder and put this example inside it.
AuthUserFile /path/to/other/.htpasswd
AuthName "myurl"
AuthType Basic
Require valid-user
Order Deny,Allow
Deny from all
Satisfy any
This should allow you to use another htpasswd for your sub folder.
I want to deny all request to the server except some ip's , but those ip's should show the auth dialog. What I have tried is
order deny,allow
deny from all
allow from xxx.xxx.xx.xxx
allow from xxx.xxx.xx.xxx
AuthUserFile /path/to/.htpasswd
AuthType Basic
AuthName "Login Required"
Require valid-user
It works fine , but after user login it showing Internal server error(500). Any idea ?
This usually happens when there's something wrong with the AuthUserFile parameter. You can put any random path in your AuthUserFile and apache will be willing to go along with the 401 require auth part just fine. But when it needs to verify the authorization given to it (in your case, via a BASIC mechanism) it needs to actually check the contents of the file, /path/to/.htpasswd. Make sure that you have the correct path to this file and that it contains actual htpasswd data, generated using the htpasswd command or something equivalent.
This is working fine ;-)
order deny,allow
deny from all
deny from all
allow from xx.xx.xx.xx
AuthUserFile /path/to/.htpasswd
AuthType Basic
AuthName "Login Required"
Require valid-user