I currently allow the following 2 specific IP addresses access to my dev server without a password:
AuthType Basic
AuthName "Protected Area"
AuthUserFile /home/server/htdocs/.htpasswd
AuthGroupFile /dev/null
require valid-user
Order allow,deny
Allow from 11.125.19.12
Allow from 11.59.193.12
satisfy any
WorldPay have just sent me these 2 ranges of IP addresses - how do I add those to my allow list? Does it work differently for ranges?
Possible solution 1:
AuthType Basic
AuthName "Protected Area"
AuthUserFile /home/server/htdocs/.htpasswd
AuthGroupFile /dev/null
require valid-user
Order allow,deny
Allow from 11.125.19.12
Allow from 11.59.193.12
Allow from 195.35.90
Allow from 195.35.91
satisfy any
The possible solution you posted will allow the ranges 195.35.90.1 - 195.35.90.255 and 195.35.91.1 - 195.35.91.255 in addition to the 11.x.x.x IPs you allowed.
You can check out here for more details on the syntax of the Allow directive.
Related
Thanks to some wonderful people here at stack overflow I got my authentication working to demand a password at dev.website.com using this script:
SetEnvIfNoCase Host ^.*dev\.website\.com$ require_auth=true
AuthUserFile /var/www/vhosts/website.com/.htpasswd
AuthName "Password Protected"
AuthType Basic
Order Deny,Allow
Deny from all
Satisfy any
Require valid-user
Allow from env=!require_auth
I also want it to demand a password on: myname.website.com mynamedev.website.com & devmyname.website.com. Basically on anything but "www.website.com" and "website.com".
What is the simplest way to do that?
I would have thought you could do the following
SetEnv require_auth=true
SetEnvIfNoCase Host ^www\.website\.com$ require_auth=false
SetEnvIfNoCase Host ^website\.com$ require_auth=false
AuthUserFile /var/www/vhosts/website.com/.htpasswd
AuthName "Password Protected"
AuthType Basic
Order Deny,Allow
Deny from all
Satisfy any
Require valid-user
Allow from env=!require_auth
The first line setting the default case to be authentication is required, the second two lines being the specific cases where authentication is not required.
Try :
#set env "auth" only for subdomains
SetEnvIfNoCase host ^((?!www\.).+)\.website\.com$ auth=1
#auth
AuthUserFile /var/www/vhosts/website.com/.htpasswd
AuthName "Password Protected"
AuthType Basic
#Here is where we allow/deny
Order Deny,Allow
Satisfy any
Deny from all
Require user valid-user
Allow from env=!auth
I'm using the following code to block users on my staging subdomain.
AuthName "PRIVAT"
AuthType Basic
AuthUserFile /var/www/mydomain.com/.htpasswd
require valid-user
Since I'd like to use the same .htaccess for staging and production I'd like to add an condition if HTTP_HOST = staging.mydomain.com so that only the staging environment is password prodected? Is this possible?
Good News: Yes it is possible :-)
Make use of mod_setenvif directive.
SetEnvIfNoCase Host ^staging\.mydomain\.com$ SECURED
AuthName "PRIVAT"
AuthType Basic
AuthUserFile /var/www/mydomain.com/.htpasswd
require valid-user
Satisfy any
Order Allow,Deny
Allow from all
Deny from env=SECURED
I want to deny all request to the server except some ip's , but those ip's should show the auth dialog. What I have tried is
order deny,allow
deny from all
allow from xxx.xxx.xx.xxx
allow from xxx.xxx.xx.xxx
AuthUserFile /path/to/.htpasswd
AuthType Basic
AuthName "Login Required"
Require valid-user
It works fine , but after user login it showing Internal server error(500). Any idea ?
This usually happens when there's something wrong with the AuthUserFile parameter. You can put any random path in your AuthUserFile and apache will be willing to go along with the 401 require auth part just fine. But when it needs to verify the authorization given to it (in your case, via a BASIC mechanism) it needs to actually check the contents of the file, /path/to/.htpasswd. Make sure that you have the correct path to this file and that it contains actual htpasswd data, generated using the htpasswd command or something equivalent.
This is working fine ;-)
order deny,allow
deny from all
deny from all
allow from xx.xx.xx.xx
AuthUserFile /path/to/.htpasswd
AuthType Basic
AuthName "Login Required"
Require valid-user
Is it possible to have an .htaccess/.htpasswd access control setup for a given directory, but if they are from a specific IP address, bypass the login/password authentication?
I know you can do something like this in the .htaccess file:
order deny,allow
deny from all
allow from 000.000.000.000
But if you add something along these lines:
AuthType Basic
AuthName "restricted area"
AuthUserFile /path/to/.htpasswd
require valid-user
Then it prompts for the password. Is there any way to do an if/else type setup, or some other solution so that users as a given IP (or set of IPs) don't get prompted for a password, but everyone else does?
For versions 2.2.X you can use the following...
AuthUserFile /var/www/mysite/.htpasswd
AuthName "Please Log In"
AuthType Basic
require valid-user
Order allow,deny
Allow from xxx.xxx.xxx.xxx
satisfy any
Obviously replace the path to your usersfile and the ip address which you would like to bypass the authentication.
Further explanation of the specifics, can be found at: http://httpd.apache.org/docs/2.2/howto/auth.html
If you use apache >=2.4, it would be something like this:
<If "%{REMOTE_ADDR} != '127.0.0.1'">
AuthType Basic
AuthName "restricted area"
AuthUserFile /path/to/.htpasswd
require valid-user
</If>
For more info take a look at the docs.
I am running Apache/2.2.16 (Debian), and had a similar problem, I solved it like this:
(This can be run in both an .htaccess file or directly in the virtualhost under <Location/>)
Order deny,allow
Deny from all
AuthType Basic
AuthUserFile /home/somesite/.htpasswd
AuthName "No entry, unless"
Require Valid-user
Allow from x.x.x.x
Allow from x.x.x.x
Satisfy Any
I allowed entry without password from two different ip, and the rest must enter password to enter.
Apache 2.4 compatible:
AuthType Basic
AuthUserFile /www/.htpasswd
AuthName "Protected Area"
<RequireAny>
Require ip 1.2.3.4
Require valid-user
</RequireAny>
See the migration guide Upgrading to 2.4 from 2.2 for more examples.
If you use apache >=2.4, and you want to allow a set of IP, as asked in initial question, you can do it like this :
<If "-R '192.168.0.0/24'">
Require all granted
</If>
<ElseIf "-R '192.168.1.0/24'">
Require all granted
</ElseIf>
<Else>
AuthType Basic
AuthName "restricted area"
AuthUserFile /etc/apache2/.htpasswd
require valid-user
</Else>
In addition to the answer of j5Dev:
# Interne IP-Adressen
SetEnvIf Remote_Addr "^127\.0\.0\.1$" IsIntern
SetEnvIf Remote_Addr "^192\.168" IsIntern
# .. add more IP addresses or ranges here
# Authentication, wenn nicht intern
AuthUserFile /path/to/.htpasswd
AuthName "restricted area"
AuthType Basic
require valid-user
Order allow,deny
Allow from env=IsIntern
satisfy any
I have a language specific subdomain that points to the same dir as the root as my site. I use PHP to detect it and show the language.
I wish to set an htpasswd on this subdomain only. Keep in mind that there is no physical directory specific to this subdomain. Therefore the statement will be in the same htaccess as the root of my site.
I need htaccess to do this :
if request is mysubdomain.domain.com
AuthUserFile /www/.htpasswd
AuthName "Locked"
AuthType Basic
Thanks
This should work:
AuthUserFile /www/.htpasswd
AuthName "Locked"
AuthType Basic
Require valid-user
SetEnvIf Host yourdomain.com secure_content
Order Allow,Deny
Allow from all
Deny from env=secure_content
Satisfy Any
I was on the same route as #Anders Lindahl but apparently there is no "not" in SetEnvIf so I had do change it to allow from all and deny the ones with the env-var set.
His solution works too but you have to SetEnv no-auth-required 1 first and then let the !no-auth-required unset it (that's what the ! does)
This is untested, but might work or give you hints on what to lookup in the Apache documentation:
SetEnvIf Host ^mysubdomain.domain.com !no-auth-required
AuthUserFile /www/.htpasswd
AuthName "Locked"
AuthType Basic
Require valid-user
Allow env no-auth-required
Satisfy Any