How to password protect a mod rewritten directory? - .htaccess

I rewrote a file to a directory in .htaccess:
RewriteRule ^folder1/(\/|)$ index.php?a=folder1 [NC,QSA]
How do I password-protect specifically this "folder1" only? So that when users go to mysite.com/folder1/ they get asked for a username & password to access it.

You can have your .htaccess like this:
SetEnvIfNoCase Request_URI ^/folder1(/.*)?$ SECURED
AuthType Basic
AuthName "Password Protected Folder1"
AuthUserFile /full/path/to/.htpasswd
Require valid-user
Satisfy any
Order Allow,Deny
Allow from all
Deny from env=SECURED
RewriteEngine On
RewriteRule ^folder1/(/|)$ index.php?a=folder1 [NC,QSA,L]

Related

.htaccess disable password protection if certain get parameter is set to certain value

We try to disable our password protection for internal use. Therefore we'd like to be able to add a parameter to the url which does this. We know that everybody who knows this parameter will have access to the directory. Now what we've tried so far:
RewriteEngine On
# Do the regex check against the URI here, if match, set the "require_auth" var
RewriteCond %{QUERY_STRING} !^$
RewriteRule (.*auth=mysecurehash.*) $1 [E=require_auth:false]
#Auth stuff
AuthType Basic
AuthUserFile /.htpasswd
AuthName "Enter Username and Password"
# Setup a deny/allow
Order Deny,Allow
# Deny from everyone
Deny from all
# except if either of these are satisfied
Satisfy any
# 1. a valid authenticated user
Require valid-user
# or 2. the "require_auth" var is NOT set
Allow from env=!require_auth
This should disable auth for anydir/anfile.any?auth=mysecurehash
but unfortunately it doesn't.
Actually everybody does have acces now - without password.
What are we missing?
Replace your rule with the following
RewriteCond %{QUERY_STRING} auth=mysecurehash [NC]
RewriteRule ^ - [E=require_auth:false]
FYI , query strings are not part of match in RewriteRule directive, we need to use a RewriteCond to match againgst urls with querystrings.
Try the following :
RewriteEngine on
RewriteCond %{QUERY_STRING} auth=mysecurehash [NC]
RewriteRule ^ - [E=require_auth:false]
#Auth stuff
AuthType Basic
AuthUserFile /.htpasswd
AuthName "Enter Username and Password"
#Here is where we allow/deny
Order Deny,Allow
Satisfy any
Deny from all
Require valid-user
Allow from env=require_auth
With 2.4 you can do it with easy by <If> directive.
For 2.2 you can try to redirect all requests without/without param to specific virtual URL and than use
SetEnvIf Request_URI ^/virturl.html require_auth=false
and then
Order Deny,Allow
Deny from all
Satisfy any
Require valid-user
Allow from env=!require_auth
something like that

Combine basic auth and redirect in .htaccess?

Following situation:
I wish to redirect all IP adresses (but NOT two fixed ones) if accessing the www.mydomain.tld/SubFolder1/ on my apache to www.mydomain.tld
Offen basic authentication for the www.mydomain.tld/SubFolder1/ with differen usernames
any idea how to do that?
I tried to use one htaccess file where i added some redirection rules and the basic auth stuff. But I never got the redirection rules to work correctly. Seamed the auth stuff is overwriting the redirection rules. Could that be?
I use the following code for the Authentication
AuthName "Restricted"
AuthType Basic
AuthUserFile //is/htdocs/www/subfolder1/.htpasswd
AuthGroupFile /dev/null
require valid-user
You can use this code in your DOCUMENT_ROOT/SubFolder1/.htaccess file:
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^(192\.168\.0\.10|192\.168\.0\.20)$
RewriteRule ^$ http://www.mydomain.tld/ [L,R]
SetEnvIf Remote_Addr ^(192\.168\.0\.10|192\.168\.0\.20)$ DOAUTH
AuthName "Restricted"
AuthType Basic
AuthUserFile //is/htdocs/www/subfolder1/.htpasswd
AuthGroupFile /dev/null
require valid-user
Satisfy any
Order allow,deny
Allow from all
Deny from env=DOAUTH
SetEnvIf is needed because mod_auth runs before mod_rewrite hence env set by mod_rewrite cannot be used mod_auth.

is it possible to change URL of webpage using .htaccess and also want to protect folders using .htaccess?

I want to change Webpage URL http://www.xyz.com/in/index.php?mpid=page1 to http://www.xyz.com/in/page1 using .htaccess.
And also want to protect my folders with username and password.
AuthType Basic
AuthName "Protected Area"
#path to htpaswd
AuthUserFile /path/to/.htpasswd
Require valid-user
RewriteEngine on
RewriteCond %{REQUEST_URI} !^in
RewriteRule /in/(.+) in/index.php?mpid=$1

.htaccess: RewriteCond works for xy.com/?id=12, but not for xy.com/index.php/?id=12

I am trying to password-protect a page with a given id somewhere in the query string. My .htaccess looks like this:
RewriteEngine On
RewriteCond %{QUERY_STRING} id=12
RewriteRule (.*) $1 [E=protected_uri:1]
Order Deny,Allow
AuthName "Protected"
AuthType Basic
AuthUserFile /blabla/.htpasswd
AuthGroupFile /
Require valid-user
Order allow,deny
Allow from all
Deny from env=protected_uri
Satisfy any
This works fine for http://xy.com/?id=12, but it doesn't work for http://xy.com/index.php?id=12. For the second URL no password is needed.
I have no idea why this isn's working, because id=12 in the RewriteCond-Line should match all the URL's with id=12 in it?
Thanks for your help!
Ben

htaccess protect all website but some paths

I need to protect all http://domain.com with AuthType Basic, but leave http://domain.com/foo/bar
(http://domain.com/foo/bar is a rewrite url, not a folder)
I read about location tag but it not work in htaccess file :(.
RewriteCond %{REQUEST_URI} !^(foo/bar)
-- protect howsoever you want --
I found the answer:
SetEnvIfNoCase REQUEST_URI "/foo/bar" ExcludePath
AuthName "SiteName Administration"
AuthUserFile /.htpasswd
AuthType basic
Require valid-user
Order deny,allow
Deny from all
Allow from env=ExcludePath
Satisfy Any

Resources