htaccess: Combine IP-Whitelist with htpasswd - .htaccess

my .htaccess looks like this:
SetEnvIF X-FORWARDED-FOR "123.456.12.34" AllowIP
Order deny,allow
Deny from all
Allow from env=AllowIP
I want to combine this "whitelist" with a htpasswd: If a whitelisted IP accesses the server, a password request should be displayed.
Any ideas?
Thanks!

Adding the following lines solved it:
AuthType Basic
AuthName "Login"
AuthUserFile /path/to/.htpasswd
Require valid-user

Related

Restrict access to root folder htpasswd except api url

I know that the question has been asked here : htaccess exclude multiple url from Basic Auth but in the answer I didn't find the solution my problem so I reask here.
I want to block access to the root of a project in with htpasswd except for api url (it's not an existing folder but an endpoint controlled by index.php).
So far here is what I use for the htaccess :
<Location />
AuthType Basic
AuthName "Auth Required"
AuthUserFile /home/user/.htpasswd
Require valid-user
SetEnvIf Request_URI "(api|oauth)$" allow
Order allow,deny
Allow from env=allow
Satisfy any
</Location>
=> the htpasswd works but it blocks /api/xxx too.
Can somebody help me to correct that ?
You can use it like this:
SetEnvIf Request_URI "/(api|oauth)(/.*)?$" allow
AuthType Basic
AuthName "Auth Required"
AuthUserFile /home/user/.htpasswd
Require valid-user
Satisfy any
Order deny,allow
Deny from all
Allow from env=allow
Also note that the <Location> directive is not allowed in .htaccess.

Multiple authentications in one website with htaccess

I have a secured website. The complete website is secured so, regardless of the page you ask, you have to enter the user/password.
I did this with this code in the htaccess
AuthUserFile /path/.htpass
AuthType Basic
AuthName "Website"
Require valid-user
Now, i want to add another authentification for a specific url. So i tried this :
SetEnvIf Request_URI ^/myurl require_auth=true
AuthUserFile /path/.htpmyrul
AuthName "Myurl"
AuthType Basic
Order Deny,Allow
Deny from all
Satisfy any
Require valid-user
Allow from env=!require_auth
It worked for myurl, but the problem is that this code "cancelled" the first code! So now, my website only ask for authentification when i visit myurl, but if i visit any other url, the website doesn't ask for authentification
Is it possible to have both authentifications work together ?
Thanks
Well you could do this.
In the main root of your htaccess file put this.
SetEnvIf Request_URI "/myurl" require_auth
AuthUserFile /path/to/.htpasswd
AuthName "Webiste"
AuthType Basic
Require valid-user
Order Deny,Allow
Deny from all
Allow from env=require_auth
Satisfy any
Then create a htaccess file inside myurl folder and put this example inside it.
AuthUserFile /path/to/other/.htpasswd
AuthName "myurl"
AuthType Basic
Require valid-user
Order Deny,Allow
Deny from all
Satisfy any
This should allow you to use another htpasswd for your sub folder.

.htaccess Condition only apply authentification to staging domain

I'm using the following code to block users on my staging subdomain.
AuthName "PRIVAT"
AuthType Basic
AuthUserFile /var/www/mydomain.com/.htpasswd
require valid-user
Since I'd like to use the same .htaccess for staging and production I'd like to add an condition if HTTP_HOST = staging.mydomain.com so that only the staging environment is password prodected? Is this possible?
Good News: Yes it is possible :-)
Make use of mod_setenvif directive.
SetEnvIfNoCase Host ^staging\.mydomain\.com$ SECURED
AuthName "PRIVAT"
AuthType Basic
AuthUserFile /var/www/mydomain.com/.htpasswd
require valid-user
Satisfy any
Order Allow,Deny
Allow from all
Deny from env=SECURED

.htpasswd on specific subdomain

I have a language specific subdomain that points to the same dir as the root as my site. I use PHP to detect it and show the language.
I wish to set an htpasswd on this subdomain only. Keep in mind that there is no physical directory specific to this subdomain. Therefore the statement will be in the same htaccess as the root of my site.
I need htaccess to do this :
if request is mysubdomain.domain.com
AuthUserFile /www/.htpasswd
AuthName "Locked"
AuthType Basic
Thanks
This should work:
AuthUserFile /www/.htpasswd
AuthName "Locked"
AuthType Basic
Require valid-user
SetEnvIf Host yourdomain.com secure_content
Order Allow,Deny
Allow from all
Deny from env=secure_content
Satisfy Any
I was on the same route as #Anders Lindahl but apparently there is no "not" in SetEnvIf so I had do change it to allow from all and deny the ones with the env-var set.
His solution works too but you have to SetEnv no-auth-required 1 first and then let the !no-auth-required unset it (that's what the ! does)
This is untested, but might work or give you hints on what to lookup in the Apache documentation:
SetEnvIf Host ^mysubdomain.domain.com !no-auth-required
AuthUserFile /www/.htpasswd
AuthName "Locked"
AuthType Basic
Require valid-user
Allow env no-auth-required
Satisfy Any

Domain specific htpasswd conditions

I am using a wildcard dns system that routes all subdomains through a single web app and sets a userid based on the first part of the URL (X.domain.com where X is the username).
I now want to edit my htaccess file to enable conditional httpauth using htpasswd for specific domains. e.g. if url = password.domain.com the enable httpauth.
I'm sure this is possible but have limited knowledge of htaccess.
You can use SetEnvIf, here's a snippet from this post by Tom Schlick.
#allows a single uri through the .htaccess password protection
SetEnvIf Request_URI "/testing_uri$" test_uri
#allows everything if its on a certain host
SetEnvIf HOST "^testing.yoursite.com" testing_url
SetEnvIf HOST "^yoursite.com" live_url
Order Deny,Allow
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /path/to/your/.htpasswd
AuthGroupFile /
Require valid-user
#Allow valid-user
Deny from all
Allow from env=test_uri
Allow from env=testing_url
Allow from env=live_url
Satisfy any

Resources