Following situation:
I wish to redirect all IP adresses (but NOT two fixed ones) if accessing the www.mydomain.tld/SubFolder1/ on my apache to www.mydomain.tld
Offen basic authentication for the www.mydomain.tld/SubFolder1/ with differen usernames
any idea how to do that?
I tried to use one htaccess file where i added some redirection rules and the basic auth stuff. But I never got the redirection rules to work correctly. Seamed the auth stuff is overwriting the redirection rules. Could that be?
I use the following code for the Authentication
AuthName "Restricted"
AuthType Basic
AuthUserFile //is/htdocs/www/subfolder1/.htpasswd
AuthGroupFile /dev/null
require valid-user
You can use this code in your DOCUMENT_ROOT/SubFolder1/.htaccess file:
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^(192\.168\.0\.10|192\.168\.0\.20)$
RewriteRule ^$ http://www.mydomain.tld/ [L,R]
SetEnvIf Remote_Addr ^(192\.168\.0\.10|192\.168\.0\.20)$ DOAUTH
AuthName "Restricted"
AuthType Basic
AuthUserFile //is/htdocs/www/subfolder1/.htpasswd
AuthGroupFile /dev/null
require valid-user
Satisfy any
Order allow,deny
Allow from all
Deny from env=DOAUTH
SetEnvIf is needed because mod_auth runs before mod_rewrite hence env set by mod_rewrite cannot be used mod_auth.
Related
I am trying to exclude a specific route from http basic authentication.
My .htaccess looks like this:
# Set an environment variable if requesting /dev
SetEnvIfNoCase Request_URI ^/dev/? DONT_NEED_AUTH=true
# Require authentication
AuthUserFile /etc/users
AuthName "This is a protected area"
AuthGroupFile /dev/null
AuthType Basic
# Set the allow/deny order
Order Deny,Allow
# Indicate that any of the following will satisfy the Deny/Allow
Satisfy any
# First off, deny from all
Deny from all
# Allow outright if this environment variable is set
Allow from env=DONT_NEED_AUTH
# or require a valid user
Require valid-user
# Rewrite url (make it pretty)
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([^?]*)$ index.php?path=$1 [NC,L,QSA]
If I use that exact same .htaccess http authentication is removed for route "/dev", so this works as expected, however the problem is that I want password protection for route "/dev", but I want to remove password protection for route "/dev/guest".
I have tried changing to the following:
SetEnvIfNoCase Request_URI ^/dev/guest/? DONT_NEED_AUTH=true
and with escaping the slash in the middle:
SetEnvIfNoCase Request_URI ^/dev\/guest/? DONT_NEED_AUTH=true
but none of those two options are working, all routes are password protected again.
also, since the route is rewritten the actual url I want to allow is "dev/index.php?path=guest" but I am not sure if I should care about that since part of that is the query string, and a end-user will never use that route directly.
Any help is highly appreciated.
Finally found a working solution.
Used this:
SetEnvIf Request_URI /dev/guest noauth=1
<RequireAny>
Require env noauth
Require env REDIRECT_noauth
Require valid-user
</RequireAny>
I rewrote a file to a directory in .htaccess:
RewriteRule ^folder1/(\/|)$ index.php?a=folder1 [NC,QSA]
How do I password-protect specifically this "folder1" only? So that when users go to mysite.com/folder1/ they get asked for a username & password to access it.
You can have your .htaccess like this:
SetEnvIfNoCase Request_URI ^/folder1(/.*)?$ SECURED
AuthType Basic
AuthName "Password Protected Folder1"
AuthUserFile /full/path/to/.htpasswd
Require valid-user
Satisfy any
Order Allow,Deny
Allow from all
Deny from env=SECURED
RewriteEngine On
RewriteRule ^folder1/(/|)$ index.php?a=folder1 [NC,QSA,L]
My aim is to require an Authorization whenever the custom environment variable TYPO3_CONTEXT is not equal to 'Production'. Meaning that, i want to force Authorization on non Production contexts.
This is what i've got in my .htaccess:
AuthUserFile /var/www/htpasswd
AuthName "Password Protected"
AuthType Basic
Order Deny,Allow
Deny from all
Satisfy any
Require valid-user
Allow from env=(TYPO3_CONTEXT=='Production')
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^dev.\example.\com$
RewriteRule .? - [E=TYPO3_CONTEXT:Development]
RewriteCond %{HTTP_HOST} ^www.\example.\com$
RewriteRule .? - [E=TYPO3_CONTEXT:Production]
What would be the right Syntax in the line:
Allow from env=(TYPO3_CONTEXT=='Production')
Is it possible at all to query the env variable at this early stage, cause the rewrite rule is defined afterwards?
You can not match against env directly in an allow directive, You will first need to match against the predefined env using a SetEnvIfNoCase directive and then the allow directive :
#1)step 1
SetEnvIfNoCase TYPO3_CONTEXT !production allowed=1
#2)step 2
AuthUserFile /var/www/htpasswd
AuthName "Password Protected"
AuthType Basic
Order Deny,Allow
Deny from all
Satisfy any
Require valid-user
Allow from env=allowed
https://httpd.apache.org/docs/current/mod/mod_setenvif.html
I need a password protection for a single site. This is a seo friendly url:
The default path is:
http://www.website-url.com/index.php?id_cms=xx&controller=cms
and here is the seo url:
http://www.website-url.com/content/xx-login
I have already the .htaccess and .htpasswd, but how to specify rewriting in .htaccess only for this url? I tried this:
<filesMatch "http://www.website-url.com/content/xx-login">
IndexIgnore .htaccess .htpasswd
AuthUserFile /absolut_path/.htpasswd
AuthName "Login"
AuthType Basic
require valid-user
</filesMatch>
I'm using Prestashop.
FilesMatch doesn't work that way, you could try using SetEnvIf to bypass the Auth unless the URI is something specific (which is what I gather you are trying to do):
IndexIgnore .htaccess .htpasswd
SetEnvIfNoCase Request_URI "^/content/xx-login" SECURED
# enforce auth if SECURED
AuthType Basic
AuthName "Login"
AuthUserFile /absolut_path/.htpasswd
Require valid-user
Order allow,deny
Allow from env=!SECURED
Satisfy any
I need to protect all http://domain.com with AuthType Basic, but leave http://domain.com/foo/bar
(http://domain.com/foo/bar is a rewrite url, not a folder)
I read about location tag but it not work in htaccess file :(.
RewriteCond %{REQUEST_URI} !^(foo/bar)
-- protect howsoever you want --
I found the answer:
SetEnvIfNoCase REQUEST_URI "/foo/bar" ExcludePath
AuthName "SiteName Administration"
AuthUserFile /.htpasswd
AuthType basic
Require valid-user
Order deny,allow
Deny from all
Allow from env=ExcludePath
Satisfy Any