.htaccess AuthBasic if custom environment variable equals expression - .htaccess

My aim is to require an Authorization whenever the custom environment variable TYPO3_CONTEXT is not equal to 'Production'. Meaning that, i want to force Authorization on non Production contexts.
This is what i've got in my .htaccess:
AuthUserFile /var/www/htpasswd
AuthName "Password Protected"
AuthType Basic
Order Deny,Allow
Deny from all
Satisfy any
Require valid-user
Allow from env=(TYPO3_CONTEXT=='Production')
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^dev.\example.\com$
RewriteRule .? - [E=TYPO3_CONTEXT:Development]
RewriteCond %{HTTP_HOST} ^www.\example.\com$
RewriteRule .? - [E=TYPO3_CONTEXT:Production]
What would be the right Syntax in the line:
Allow from env=(TYPO3_CONTEXT=='Production')
Is it possible at all to query the env variable at this early stage, cause the rewrite rule is defined afterwards?

You can not match against env directly in an allow directive, You will first need to match against the predefined env using a SetEnvIfNoCase directive and then the allow directive :
#1)step 1
SetEnvIfNoCase TYPO3_CONTEXT !production allowed=1
#2)step 2
AuthUserFile /var/www/htpasswd
AuthName "Password Protected"
AuthType Basic
Order Deny,Allow
Deny from all
Satisfy any
Require valid-user
Allow from env=allowed
https://httpd.apache.org/docs/current/mod/mod_setenvif.html

Related

Cannot exclude route from http basic auth

I am trying to exclude a specific route from http basic authentication.
My .htaccess looks like this:
# Set an environment variable if requesting /dev
SetEnvIfNoCase Request_URI ^/dev/? DONT_NEED_AUTH=true
# Require authentication
AuthUserFile /etc/users
AuthName "This is a protected area"
AuthGroupFile /dev/null
AuthType Basic
# Set the allow/deny order
Order Deny,Allow
# Indicate that any of the following will satisfy the Deny/Allow
Satisfy any
# First off, deny from all
Deny from all
# Allow outright if this environment variable is set
Allow from env=DONT_NEED_AUTH
# or require a valid user
Require valid-user
# Rewrite url (make it pretty)
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([^?]*)$ index.php?path=$1 [NC,L,QSA]
If I use that exact same .htaccess http authentication is removed for route "/dev", so this works as expected, however the problem is that I want password protection for route "/dev", but I want to remove password protection for route "/dev/guest".
I have tried changing to the following:
SetEnvIfNoCase Request_URI ^/dev/guest/? DONT_NEED_AUTH=true
and with escaping the slash in the middle:
SetEnvIfNoCase Request_URI ^/dev\/guest/? DONT_NEED_AUTH=true
but none of those two options are working, all routes are password protected again.
also, since the route is rewritten the actual url I want to allow is "dev/index.php?path=guest" but I am not sure if I should care about that since part of that is the query string, and a end-user will never use that route directly.
Any help is highly appreciated.
Finally found a working solution.
Used this:
SetEnvIf Request_URI /dev/guest noauth=1
<RequireAny>
Require env noauth
Require env REDIRECT_noauth
Require valid-user
</RequireAny>

How to password protect a mod rewritten directory?

I rewrote a file to a directory in .htaccess:
RewriteRule ^folder1/(\/|)$ index.php?a=folder1 [NC,QSA]
How do I password-protect specifically this "folder1" only? So that when users go to mysite.com/folder1/ they get asked for a username & password to access it.
You can have your .htaccess like this:
SetEnvIfNoCase Request_URI ^/folder1(/.*)?$ SECURED
AuthType Basic
AuthName "Password Protected Folder1"
AuthUserFile /full/path/to/.htpasswd
Require valid-user
Satisfy any
Order Allow,Deny
Allow from all
Deny from env=SECURED
RewriteEngine On
RewriteRule ^folder1/(/|)$ index.php?a=folder1 [NC,QSA,L]

.htaccess disable password protection if certain get parameter is set to certain value

We try to disable our password protection for internal use. Therefore we'd like to be able to add a parameter to the url which does this. We know that everybody who knows this parameter will have access to the directory. Now what we've tried so far:
RewriteEngine On
# Do the regex check against the URI here, if match, set the "require_auth" var
RewriteCond %{QUERY_STRING} !^$
RewriteRule (.*auth=mysecurehash.*) $1 [E=require_auth:false]
#Auth stuff
AuthType Basic
AuthUserFile /.htpasswd
AuthName "Enter Username and Password"
# Setup a deny/allow
Order Deny,Allow
# Deny from everyone
Deny from all
# except if either of these are satisfied
Satisfy any
# 1. a valid authenticated user
Require valid-user
# or 2. the "require_auth" var is NOT set
Allow from env=!require_auth
This should disable auth for anydir/anfile.any?auth=mysecurehash
but unfortunately it doesn't.
Actually everybody does have acces now - without password.
What are we missing?
Replace your rule with the following
RewriteCond %{QUERY_STRING} auth=mysecurehash [NC]
RewriteRule ^ - [E=require_auth:false]
FYI , query strings are not part of match in RewriteRule directive, we need to use a RewriteCond to match againgst urls with querystrings.
Try the following :
RewriteEngine on
RewriteCond %{QUERY_STRING} auth=mysecurehash [NC]
RewriteRule ^ - [E=require_auth:false]
#Auth stuff
AuthType Basic
AuthUserFile /.htpasswd
AuthName "Enter Username and Password"
#Here is where we allow/deny
Order Deny,Allow
Satisfy any
Deny from all
Require valid-user
Allow from env=require_auth
With 2.4 you can do it with easy by <If> directive.
For 2.2 you can try to redirect all requests without/without param to specific virtual URL and than use
SetEnvIf Request_URI ^/virturl.html require_auth=false
and then
Order Deny,Allow
Deny from all
Satisfy any
Require valid-user
Allow from env=!require_auth
something like that

Combine basic auth and redirect in .htaccess?

Following situation:
I wish to redirect all IP adresses (but NOT two fixed ones) if accessing the www.mydomain.tld/SubFolder1/ on my apache to www.mydomain.tld
Offen basic authentication for the www.mydomain.tld/SubFolder1/ with differen usernames
any idea how to do that?
I tried to use one htaccess file where i added some redirection rules and the basic auth stuff. But I never got the redirection rules to work correctly. Seamed the auth stuff is overwriting the redirection rules. Could that be?
I use the following code for the Authentication
AuthName "Restricted"
AuthType Basic
AuthUserFile //is/htdocs/www/subfolder1/.htpasswd
AuthGroupFile /dev/null
require valid-user
You can use this code in your DOCUMENT_ROOT/SubFolder1/.htaccess file:
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^(192\.168\.0\.10|192\.168\.0\.20)$
RewriteRule ^$ http://www.mydomain.tld/ [L,R]
SetEnvIf Remote_Addr ^(192\.168\.0\.10|192\.168\.0\.20)$ DOAUTH
AuthName "Restricted"
AuthType Basic
AuthUserFile //is/htdocs/www/subfolder1/.htpasswd
AuthGroupFile /dev/null
require valid-user
Satisfy any
Order allow,deny
Allow from all
Deny from env=DOAUTH
SetEnvIf is needed because mod_auth runs before mod_rewrite hence env set by mod_rewrite cannot be used mod_auth.

.htaccess: RewriteCond works for xy.com/?id=12, but not for xy.com/index.php/?id=12

I am trying to password-protect a page with a given id somewhere in the query string. My .htaccess looks like this:
RewriteEngine On
RewriteCond %{QUERY_STRING} id=12
RewriteRule (.*) $1 [E=protected_uri:1]
Order Deny,Allow
AuthName "Protected"
AuthType Basic
AuthUserFile /blabla/.htpasswd
AuthGroupFile /
Require valid-user
Order allow,deny
Allow from all
Deny from env=protected_uri
Satisfy any
This works fine for http://xy.com/?id=12, but it doesn't work for http://xy.com/index.php?id=12. For the second URL no password is needed.
I have no idea why this isn's working, because id=12 in the RewriteCond-Line should match all the URL's with id=12 in it?
Thanks for your help!
Ben

Resources