Develop Reference

Allow only one file free access but others should be password protected

I have a huge emergency here after upgrading main site to drupal 8 all my scripts in subfolders became unusable. I have following structure:
public_html
--subfolder
--subsubfolder
.htaccess -- custom file
certificate.php
index.php
.htaccess -- main Drupal8 htaccess
the custom file looks like this:
AuthType Basic
AuthName "SWARL Certificates generator"
AuthUserFile "/home/user/passwd"
require valid-user
<Files "^certificate\.php">
Allow from all
Satisfy Any
</Files>
Everything was working with drupal6 but not with drupal 8 Security is good, but how to properly setup free access to certificate.php and password protect intex.php?

weird enough the following works:
RewriteEngine On
RewriteRule !certificate.php - [F]
<Files "certificate.php">
Order Allow,Deny
Allow from all
Satisfy Any
</Files>
AuthType Basic
AuthName "SWARL Certificates generator"
AuthUserFile "/home/user/passwd"
require valid-user
I just placed both solutions simultaneously and removed slash before dot

.htaccess Condition only apply authentification to staging domain

I'm using the following code to block users on my staging subdomain.
AuthName "PRIVAT"
AuthType Basic
AuthUserFile /var/www/mydomain.com/.htpasswd
require valid-user
Since I'd like to use the same .htaccess for staging and production I'd like to add an condition if HTTP_HOST = staging.mydomain.com so that only the staging environment is password prodected? Is this possible?

Good News: Yes it is possible :-)
Make use of mod_setenvif directive.
SetEnvIfNoCase Host ^staging\.mydomain\.com$ SECURED
AuthName "PRIVAT"
AuthType Basic
AuthUserFile /var/www/mydomain.com/.htpasswd
require valid-user
Satisfy any
Order Allow,Deny
Allow from all
Deny from env=SECURED

How can I specify the htaccess to match all files except index.html?

I have the following code for authentication where if the url is is not index.html, display the authenticatio form
<files "(?!index.html)">
AuthUserFile C:/wamp/www/eyedream/trunk/www/.htpasswd
AuthName "Please login"
AuthType Basic
Require valid-user
</files>
How can I specify if the file is not index.html,display the authentication box?

You can't use the Auth directives inside a <Files> block, it's got to be inside a <Directory> or in an .htaccess file. You can set an environment variable and use Satisfy Any to bypass the authentication for certain requests though:
SetEnvIfNoCase Request_URI ^/index.html$ norequire_auth=true
SetEnvIfNoCase Request_URI ^/$ norequire_auth=true
# Auth stuff
AuthUserFile C:/wamp/www/eyedream/trunk/www/.htpasswd
AuthName "Please login"
AuthType Basic
# Setup a deny/allow
Order Deny,Allow
# Deny from everyone
Deny from all
# except if either of these are satisfied
Satisfy any
# 1. a valid authenticated user
Require valid-user
# or 2. the "require_auth" var is NOT set
Allow from env=norequire_auth

.htaccess / .htpasswd bypass if at a certain IP address

Is it possible to have an .htaccess/.htpasswd access control setup for a given directory, but if they are from a specific IP address, bypass the login/password authentication?
I know you can do something like this in the .htaccess file:
order deny,allow
deny from all
allow from 000.000.000.000
But if you add something along these lines:
AuthType Basic
AuthName "restricted area"
AuthUserFile /path/to/.htpasswd
require valid-user
Then it prompts for the password. Is there any way to do an if/else type setup, or some other solution so that users as a given IP (or set of IPs) don't get prompted for a password, but everyone else does?

For versions 2.2.X you can use the following...
AuthUserFile /var/www/mysite/.htpasswd
AuthName "Please Log In"
AuthType Basic
require valid-user
Order allow,deny
Allow from xxx.xxx.xxx.xxx
satisfy any
Obviously replace the path to your usersfile and the ip address which you would like to bypass the authentication.
Further explanation of the specifics, can be found at: http://httpd.apache.org/docs/2.2/howto/auth.html

If you use apache >=2.4, it would be something like this:
<If "%{REMOTE_ADDR} != '127.0.0.1'">
AuthType Basic
AuthName "restricted area"
AuthUserFile /path/to/.htpasswd
require valid-user
</If>
For more info take a look at the docs.

I am running Apache/2.2.16 (Debian), and had a similar problem, I solved it like this:
(This can be run in both an .htaccess file or directly in the virtualhost under <Location/>)
Order deny,allow
Deny from all
AuthType Basic
AuthUserFile /home/somesite/.htpasswd
AuthName "No entry, unless"
Require Valid-user
Allow from x.x.x.x
Allow from x.x.x.x
Satisfy Any
I allowed entry without password from two different ip, and the rest must enter password to enter.

Apache 2.4 compatible:
AuthType Basic
AuthUserFile /www/.htpasswd
AuthName "Protected Area"
<RequireAny>
Require ip 1.2.3.4
Require valid-user
</RequireAny>
See the migration guide Upgrading to 2.4 from 2.2 for more examples.

If you use apache >=2.4, and you want to allow a set of IP, as asked in initial question, you can do it like this :
<If "-R '192.168.0.0/24'">
Require all granted
</If>
<ElseIf "-R '192.168.1.0/24'">
Require all granted
</ElseIf>
<Else>
AuthType Basic
AuthName "restricted area"
AuthUserFile /etc/apache2/.htpasswd
require valid-user
</Else>

In addition to the answer of j5Dev:
# Interne IP-Adressen
SetEnvIf Remote_Addr "^127\.0\.0\.1$" IsIntern
SetEnvIf Remote_Addr "^192\.168" IsIntern
# .. add more IP addresses or ranges here
# Authentication, wenn nicht intern
AuthUserFile /path/to/.htpasswd
AuthName "restricted area"
AuthType Basic
require valid-user
Order allow,deny
Allow from env=IsIntern
satisfy any

How to remove .htaccess password protection from a subdirectory

I have password protected my entire website using .htaccess but I would like to expose one of the sub directories so that it can be viewed without a password.
How can I disable htaccess password protection for a sub directory? Specifically what is the .htaccess syntax.
Here is my .htaccess file that is placed in the root of my ftp.
AuthName "Site Administratrion"
AuthUserFile /dir/.htpasswd
AuthGroupFile /dev/null
AuthName secure
AuthType Basic
require user username1
order allow,deny
allow from all

You need to create a new .htaccess file in the required directory and include the Satisfy any directive in it like so, for up to Apache 2.3:
# allows any user to see this directory
Satisfy Any
The syntax changed in Apache 2.4, this has the same effect:
Require all granted

Adding to RageZ's answer, I used this in the Server Directives:
<Directory /var/www/protected/>
AuthType Basic
AuthName "Production"
AuthUserFile /path/to/.htpasswd
Require valid-user
</Directory>
<Directory /var/www/protected/unprotected>
Satisfy Any
</Directory>
Awesome. Thanks RageZ!

Simply create a new .htaccess in the desired subdirectory with this directive:
Allow from all
You can restrict to your IP only with :
Allow from x.x.x.x
See : http://httpd.apache.org/docs/current/mod/mod_access_compat.html

Here is a way to allow subdirectory "foo" through the basic authentication from the main .htaccess file on a site:
AuthType Basic
AuthName "Password Required"
AuthUserFile /dir/.htpasswd
Require expr %{REQUEST_URI} =~ m#^/foo/#
Require valid-user
Note: This works in Apache 2.4. I have not confirmed for earlier versions.

You need to add another .htaccess file to the subdirectory that overrides the authentication. .htaccess cascades upwards, i.e. it will look in the current folder, then go up a level and so on.

If you want to prevent any specific directoty from htaccess authentication then you can use following code in your htaccess file at top.
AuthType Basic
AuthName "Enter Pass"
AuthUserFile /home/public_html/.htpasswd /*PATH TO YOUR .htpasswd FILE*/
Require valid-user
SetEnvIf Request_URI "(/DIRECTORY_NAME/)$" allow
Order allow,deny
Allow from env=allow
Also If you want to prevent multiple directories then
add
SetEnvIf Request_URI "(/DIRECTORY_NAME/)$" allow
as many time as many directories, you want to remove from htaccess prevention.