SetEnvIf not working on specific URL - .htaccess

I've got a password protected site, and I'm trying to allow a specific URL through so that it works for a Payment callback. The site is built using CakePHP.
The below works great however the Allow from env=allow is just not being taken into account (I've tried with my own IP address too). The setenvif mod is enabled in Apache and the other "Allow from" lines work fine. FYI it's running on Ubuntu on EC2. I've also searched on the site for similar issues and solutions but to no avail.
I've checked the $_SERVER global array in PHP for the "allow" environment variable and it exists so running out of ideas. Any help would be much appreciated!
SetEnvIf Request_URI ^/secure_trading/callback allow=1
SetEnvIf Request_URI ^/secure_trading/callback$ allow=1
SetEnvIf Request_URI "/secure_trading/callback" allow=1
SetEnvIf Request_URI "/app/weboot/secure_trading/callback" allow=1
AuthName "Protected"
AuthGroupFile /dev/null
AuthType Basic
AuthUserFile /var/www/domain.co.uk/.htpasswd
Order deny,allow
Satisfy Any
Deny from all
Allow from 127.0.0.1
Allow from env=allow
require valid-user
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^$ app/webroot/ [L]
RewriteRule (.*) app/webroot/$1 [L]
</IfModule>

Related

Cannot exclude route from http basic auth

I am trying to exclude a specific route from http basic authentication.
My .htaccess looks like this:
# Set an environment variable if requesting /dev
SetEnvIfNoCase Request_URI ^/dev/? DONT_NEED_AUTH=true
# Require authentication
AuthUserFile /etc/users
AuthName "This is a protected area"
AuthGroupFile /dev/null
AuthType Basic
# Set the allow/deny order
Order Deny,Allow
# Indicate that any of the following will satisfy the Deny/Allow
Satisfy any
# First off, deny from all
Deny from all
# Allow outright if this environment variable is set
Allow from env=DONT_NEED_AUTH
# or require a valid user
Require valid-user
# Rewrite url (make it pretty)
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([^?]*)$ index.php?path=$1 [NC,L,QSA]
If I use that exact same .htaccess http authentication is removed for route "/dev", so this works as expected, however the problem is that I want password protection for route "/dev", but I want to remove password protection for route "/dev/guest".
I have tried changing to the following:
SetEnvIfNoCase Request_URI ^/dev/guest/? DONT_NEED_AUTH=true
and with escaping the slash in the middle:
SetEnvIfNoCase Request_URI ^/dev\/guest/? DONT_NEED_AUTH=true
but none of those two options are working, all routes are password protected again.
also, since the route is rewritten the actual url I want to allow is "dev/index.php?path=guest" but I am not sure if I should care about that since part of that is the query string, and a end-user will never use that route directly.
Any help is highly appreciated.
Finally found a working solution.
Used this:
SetEnvIf Request_URI /dev/guest noauth=1
<RequireAny>
Require env noauth
Require env REDIRECT_noauth
Require valid-user
</RequireAny>

.htaccess disable password protection if certain get parameter is set to certain value

We try to disable our password protection for internal use. Therefore we'd like to be able to add a parameter to the url which does this. We know that everybody who knows this parameter will have access to the directory. Now what we've tried so far:
RewriteEngine On
# Do the regex check against the URI here, if match, set the "require_auth" var
RewriteCond %{QUERY_STRING} !^$
RewriteRule (.*auth=mysecurehash.*) $1 [E=require_auth:false]
#Auth stuff
AuthType Basic
AuthUserFile /.htpasswd
AuthName "Enter Username and Password"
# Setup a deny/allow
Order Deny,Allow
# Deny from everyone
Deny from all
# except if either of these are satisfied
Satisfy any
# 1. a valid authenticated user
Require valid-user
# or 2. the "require_auth" var is NOT set
Allow from env=!require_auth
This should disable auth for anydir/anfile.any?auth=mysecurehash
but unfortunately it doesn't.
Actually everybody does have acces now - without password.
What are we missing?
Replace your rule with the following
RewriteCond %{QUERY_STRING} auth=mysecurehash [NC]
RewriteRule ^ - [E=require_auth:false]
FYI , query strings are not part of match in RewriteRule directive, we need to use a RewriteCond to match againgst urls with querystrings.
Try the following :
RewriteEngine on
RewriteCond %{QUERY_STRING} auth=mysecurehash [NC]
RewriteRule ^ - [E=require_auth:false]
#Auth stuff
AuthType Basic
AuthUserFile /.htpasswd
AuthName "Enter Username and Password"
#Here is where we allow/deny
Order Deny,Allow
Satisfy any
Deny from all
Require valid-user
Allow from env=require_auth
With 2.4 you can do it with easy by <If> directive.
For 2.2 you can try to redirect all requests without/without param to specific virtual URL and than use
SetEnvIf Request_URI ^/virturl.html require_auth=false
and then
Order Deny,Allow
Deny from all
Satisfy any
Require valid-user
Allow from env=!require_auth
something like that

Redirect all IP but mine + protect with password

I've a live website and due to maintenance I want to redirect all IP but mine and another one. I want also that every PC from the two enabled IP has to login to see the website. How can I have both things working at the same time?
To redirect all IP I'll add this to.htacces:
RewriteEngine On
RewriteBase /
RewriteCond %{REMOTE_HOST} !^1.2.3.4
RewriteRule .* http://www.anothersite.com [R=302,L]
Source: http://kb.siteground.com/how_to_redirect_all_visitors_except_your_ip_to_another_site/
But how can I protect everything also with password, in a way that users IP are redirected to anothersite.com? Also, how can I allow multiple IP? Add them with commas?
You can have a workaround like this
SetEnvIfNoCase REMOTE_ADDR "^(?:x\.x\.x\.x|x\.x\.x\.x)$" GET_AUTH=1
RewriteEngine On
RewriteCond %{ENV:GET_AUTH} !1
RewriteRule ^ - [R=503,L]
AuthType Basic
AuthName "Forbidden"
AuthUserFile /path/to/.htpasswd
Require valid-user
Satisfy any
Order allow,deny
Allow from all
Deny from env=GET_AUTH
This code will redirect any other IP but yours and the other one (with a HTTP 503 error: maintenance specific and google friendly).
Otherwise, you have the authentication process.

Combine basic auth and redirect in .htaccess?

Following situation:
I wish to redirect all IP adresses (but NOT two fixed ones) if accessing the www.mydomain.tld/SubFolder1/ on my apache to www.mydomain.tld
Offen basic authentication for the www.mydomain.tld/SubFolder1/ with differen usernames
any idea how to do that?
I tried to use one htaccess file where i added some redirection rules and the basic auth stuff. But I never got the redirection rules to work correctly. Seamed the auth stuff is overwriting the redirection rules. Could that be?
I use the following code for the Authentication
AuthName "Restricted"
AuthType Basic
AuthUserFile //is/htdocs/www/subfolder1/.htpasswd
AuthGroupFile /dev/null
require valid-user
You can use this code in your DOCUMENT_ROOT/SubFolder1/.htaccess file:
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^(192\.168\.0\.10|192\.168\.0\.20)$
RewriteRule ^$ http://www.mydomain.tld/ [L,R]
SetEnvIf Remote_Addr ^(192\.168\.0\.10|192\.168\.0\.20)$ DOAUTH
AuthName "Restricted"
AuthType Basic
AuthUserFile //is/htdocs/www/subfolder1/.htpasswd
AuthGroupFile /dev/null
require valid-user
Satisfy any
Order allow,deny
Allow from all
Deny from env=DOAUTH
SetEnvIf is needed because mod_auth runs before mod_rewrite hence env set by mod_rewrite cannot be used mod_auth.

Deny all, allow only one IP through htaccess

I'm trying to deny all and allow only for a single IP. But, I would like to have the following htaccess working for that single IP. I'm not finding a way to have both working: the deny all and allow only one, plus the following options:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
#Removes access to the system folder by users.
#Additionally this will allow you to create a System.php controller,
#previously this would not have been possible.
#'system' can be replaced if you have renamed your system folder.
RewriteCond %{REQUEST_URI} ^system.*
RewriteRule ^(.*)$ /index.php?/$1 [L]
#When your application folder isn't in the system folder
#This snippet prevents user access to the application folder
#Submitted by: Fabdrol
#Rename 'application' to your applications folder name.
RewriteCond %{REQUEST_URI} ^application.*
RewriteRule ^(.*)$ /index.php?/$1 [L]
#Checks to see if the user is attempting to access a valid file,
#such as an image or css document, if this isn't true it sends the
#request to index.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?/$1 [L]
</IfModule>
<IfModule !mod_rewrite.c>
# If we don't have mod_rewrite installed, all 404's
# can be sent to index.php, and everything works as normal.
# Submitted by: ElliotHaughin
ErrorDocument 404 /index.php
</IfModule>
Is there a way to make this work?
order deny,allow
deny from all
allow from <your ip>
I know this question already has an accepted answer, but the Apache documentation says:
The Allow, Deny, and Order directives, provided by mod_access_compat,
are deprecated and will go away in a future version. You should avoid
using them, and avoid outdated tutorials recommending their use.
So, a more future-proof answer would be:
<RequireAll>
Require ip xx.xx.xx.xx yy.yy.yy.yy
</RequireAll>
Hopefully, I've helped prevent this page from becoming one of those "outdated tutorials". :)
This can be improved by using the directive designed for that task.
ErrorDocument 403 /specific_page.html
Order Allow,Deny
Allow from 111.222.333.444
Where 111.222.333.444 is your static IP address.
When using the "Order Allow,Deny" directive the requests must match either Allow or Deny, if neither is met, the request is denied.
http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#order
Slightly modified version of the above, including a custom page to be displayed to those who get denied access:
ErrorDocument 403 /specific_page.html
order deny,allow
deny from all
allow from 111.222.333.444
...and that way those requests not coming from 111.222.333.444 will see specific_page.html
(posting this as comment looked terrible because new lines get lost)
Improving a bit more the previous answers, a maintenance page can be shown to your users while you perform changes to the site:
ErrorDocument 403 /maintenance.html
Order Allow,Deny
Allow from #.#.#.#
Where:
#.#.#.# is your IP: What Is My IP Address?
For maintenance.html there is a nice example here: Simple Maintenance Page
Add the following command in .htaccess file. And place that file in your htdocs folder.
Order Deny,Allow
Deny from all
Allow from <your ip>
Allow from <another ip>
Just in addition to #David Brown´s answer, if you want to block an IP, you must first allow all then block the IPs as such:
<RequireAll>
Require all granted
Require not ip 10.0.0.0/255.0.0.0
Require not ip 172.16.0.0/12
Require not ip 192.168
</RequireAll>
First line allows all
Second line blocks from 10.0.0.0 to 10.255.255.255
Third line blocks from 172.16.0.0 to 172.31.255.255
Fourth line blocks from 192.168.0.0 to 192.168.255.255
You may use any of the notations mentioned above to suit your CIDR needs.
I wasn't able to use the 403 method because I wanted the maintenance page and page images in a sub folder on my server, so used the following approach to redirect to a 'maintenance page' for everyone but a single IP*
RewriteEngine on
RewriteCond %{REMOTE_ADDR} !**.**.**.*
RewriteRule !^maintenance/ http://www.website.co.uk/maintenance/ [R=302,L]
Source: Creating a holding page to hide your WordPress blog
order deny,allow
deny from all
allow from set your IP
using htaccess to restrict access by ip
You can use the following in htaccess to allow and deny access to your site :
SetEnvIf remote_addr ^1\.2\3\.4\.5$ allowedip=1
Order deny,allow
deny from all
allow from env=allowedip
We first set an env variable allowedip if the client ip address matches the pattern, if the pattern matches then env variable allowedip is assigned the value 1 .
In the next step, we use Allow,deny directives to allow and deny access to the site. Order deny,allow represents the order of deny and allow . deny from all this line tells the server to deny everyone. the last line allow from env=allowedip allows access to a single ip address we set the env variable for.
Replace 1\.2\.3\.4\.5 with your allowed ip address.
Refrences :
https://httpd.apache.org/docs/2.4/mod/mod_setenvif.html
https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html
You can have more than one IP or even some other kind of allow like user, hostname, ... more info here https://www.askapache.com/htaccess/setenvif/
SetEnvIf remote_addr ^123.123.123.1$ allowedip=1
SetEnvIf remote_addr ^123.123.123.2$ allowedip=1
SetEnvIf remote_addr ^123.123.123.3$ allowedip=1
SetEnvIf remote_addr ^123.123.123.4$ allowedip=1
Order deny,allow
deny from all
allow from env=allowedip
ErrorDocument 403 /maintenance.html
Order Allow,Deny
Allow from #:#:#:#:#:#
For me, this seems to work (Using IPv6 rather than IPv4) I don't know if this is different for some websites but for mine this works.
If you want to use mod_rewrite for access control you can use condition like user agent, http referrer, remote addr etc.
Example
RewriteCond %{REMOTE_ADDR} !=*.*.*.* #you ip address
RewriteRule ^$ - [F]
Refrences:
https://httpd.apache.org/docs/2.4/rewrite/access.html

Resources