htaccess auth and deny together - .htaccess

I want to deny all request to the server except some ip's , but those ip's should show the auth dialog. What I have tried is
order deny,allow
deny from all
allow from xxx.xxx.xx.xxx
allow from xxx.xxx.xx.xxx
AuthUserFile /path/to/.htpasswd
AuthType Basic
AuthName "Login Required"
Require valid-user
It works fine , but after user login it showing Internal server error(500). Any idea ?

This usually happens when there's something wrong with the AuthUserFile parameter. You can put any random path in your AuthUserFile and apache will be willing to go along with the 401 require auth part just fine. But when it needs to verify the authorization given to it (in your case, via a BASIC mechanism) it needs to actually check the contents of the file, /path/to/.htpasswd. Make sure that you have the correct path to this file and that it contains actual htpasswd data, generated using the htpasswd command or something equivalent.

This is working fine ;-)
order deny,allow
deny from all
deny from all
allow from xx.xx.xx.xx
AuthUserFile /path/to/.htpasswd
AuthType Basic
AuthName "Login Required"
Require valid-user

Related

Password protect whole site but keep one file accessible from localhost

I would like to allow access to authorized users. This works. More, I would like to allow access to cron.php file from localhost.
Also calling cron.php from server using wget --debug - https://example.com/cron.php , I get 401 unauthorized error.
This is what I have in htaccess file:
AuthType Basic
AuthName "Password Protected Area"
AuthUserFile path to.htpasswd
Require valid-user
<Files "cron.php">
Order deny,allow
Deny from all
Allow from localhost
Allow from 127.0.0.1
</Files>

Restrict access to root folder htpasswd except api url

I know that the question has been asked here : htaccess exclude multiple url from Basic Auth but in the answer I didn't find the solution my problem so I reask here.
I want to block access to the root of a project in with htpasswd except for api url (it's not an existing folder but an endpoint controlled by index.php).
So far here is what I use for the htaccess :
<Location />
AuthType Basic
AuthName "Auth Required"
AuthUserFile /home/user/.htpasswd
Require valid-user
SetEnvIf Request_URI "(api|oauth)$" allow
Order allow,deny
Allow from env=allow
Satisfy any
</Location>
=> the htpasswd works but it blocks /api/xxx too.
Can somebody help me to correct that ?
You can use it like this:
SetEnvIf Request_URI "/(api|oauth)(/.*)?$" allow
AuthType Basic
AuthName "Auth Required"
AuthUserFile /home/user/.htpasswd
Require valid-user
Satisfy any
Order deny,allow
Deny from all
Allow from env=allow
Also note that the <Location> directive is not allowed in .htaccess.

Multiple authentications in one website with htaccess

I have a secured website. The complete website is secured so, regardless of the page you ask, you have to enter the user/password.
I did this with this code in the htaccess
AuthUserFile /path/.htpass
AuthType Basic
AuthName "Website"
Require valid-user
Now, i want to add another authentification for a specific url. So i tried this :
SetEnvIf Request_URI ^/myurl require_auth=true
AuthUserFile /path/.htpmyrul
AuthName "Myurl"
AuthType Basic
Order Deny,Allow
Deny from all
Satisfy any
Require valid-user
Allow from env=!require_auth
It worked for myurl, but the problem is that this code "cancelled" the first code! So now, my website only ask for authentification when i visit myurl, but if i visit any other url, the website doesn't ask for authentification
Is it possible to have both authentifications work together ?
Thanks
Well you could do this.
In the main root of your htaccess file put this.
SetEnvIf Request_URI "/myurl" require_auth
AuthUserFile /path/to/.htpasswd
AuthName "Webiste"
AuthType Basic
Require valid-user
Order Deny,Allow
Deny from all
Allow from env=require_auth
Satisfy any
Then create a htaccess file inside myurl folder and put this example inside it.
AuthUserFile /path/to/other/.htpasswd
AuthName "myurl"
AuthType Basic
Require valid-user
Order Deny,Allow
Deny from all
Satisfy any
This should allow you to use another htpasswd for your sub folder.

.htaccess login exclude one file and ip. For a whole server

I've seen numerous topics. with .htaccess excluding files or IP's but I just can't seem to fit it together.
I want to lock down our development server for the outside world. All (sub)domains on this server should be handled with one file.
All visitors (clients) have to login
Except inside our office
Allow 1 file for everybody. Because someone used it as the source of an email signature...
I can get 2 out of 3 to work but not a combination of all 3.
This .htaccess is located in /home/user/domains/.htaccess
Individual websites also have their own .htaccess in their webroot /home/user/domains/example.com/public_html/.htaccess these websites are mostly WordPress or Magento. And so are there .htacess files
Overview of the structure
/home/user/.htaccess #the file I've put the code.
/home/user/domains/wordpress.example.com/public_html/.htaccess
/home/user/domains/magento.example.com/public_html/.htaccess
/home/user/domains/example.com/public_html/.htaccess
/home/user/domains/anotherwp.example.com/public_html/.htaccess
The file I use
AuthName "You shall not pass"
AuthUserFile /home/user/domains/.htpasswd
AuthType Basic
Require valid-user
Order Deny,Allow
#doens't work for some reason
Allow from xxx.xxx.xxx.xxx #Office IP
#This execption is here because some smartass included this in an email signature
<Files "email_logo.jpg">
Allow from all
Satisfy any
</Files>
Who can help me out?
Here is how you can do all 3 requirements using mod_setnenvif:
SetEnvIf Remote_Addr ^192\.168\.0\. ALLOWED
SetEnvIfNoCase Request_URI "email_logo\.jpg" ALLOWED
AuthName "You shall not pass"
AuthUserFile /home/user/domains/.htpasswd
AuthType Basic
Require valid-user
Satisfy any
Order deny,allow
Deny from All
Allow from env=ALLOWED

.htaccess / .htpasswd bypass if at a certain IP address

Is it possible to have an .htaccess/.htpasswd access control setup for a given directory, but if they are from a specific IP address, bypass the login/password authentication?
I know you can do something like this in the .htaccess file:
order deny,allow
deny from all
allow from 000.000.000.000
But if you add something along these lines:
AuthType Basic
AuthName "restricted area"
AuthUserFile /path/to/.htpasswd
require valid-user
Then it prompts for the password. Is there any way to do an if/else type setup, or some other solution so that users as a given IP (or set of IPs) don't get prompted for a password, but everyone else does?
For versions 2.2.X you can use the following...
AuthUserFile /var/www/mysite/.htpasswd
AuthName "Please Log In"
AuthType Basic
require valid-user
Order allow,deny
Allow from xxx.xxx.xxx.xxx
satisfy any
Obviously replace the path to your usersfile and the ip address which you would like to bypass the authentication.
Further explanation of the specifics, can be found at: http://httpd.apache.org/docs/2.2/howto/auth.html
If you use apache >=2.4, it would be something like this:
<If "%{REMOTE_ADDR} != '127.0.0.1'">
AuthType Basic
AuthName "restricted area"
AuthUserFile /path/to/.htpasswd
require valid-user
</If>
For more info take a look at the docs.
I am running Apache/2.2.16 (Debian), and had a similar problem, I solved it like this:
(This can be run in both an .htaccess file or directly in the virtualhost under <Location/>)
Order deny,allow
Deny from all
AuthType Basic
AuthUserFile /home/somesite/.htpasswd
AuthName "No entry, unless"
Require Valid-user
Allow from x.x.x.x
Allow from x.x.x.x
Satisfy Any
I allowed entry without password from two different ip, and the rest must enter password to enter.
Apache 2.4 compatible:
AuthType Basic
AuthUserFile /www/.htpasswd
AuthName "Protected Area"
<RequireAny>
Require ip 1.2.3.4
Require valid-user
</RequireAny>
See the migration guide Upgrading to 2.4 from 2.2 for more examples.
If you use apache >=2.4, and you want to allow a set of IP, as asked in initial question, you can do it like this :
<If "-R '192.168.0.0/24'">
Require all granted
</If>
<ElseIf "-R '192.168.1.0/24'">
Require all granted
</ElseIf>
<Else>
AuthType Basic
AuthName "restricted area"
AuthUserFile /etc/apache2/.htpasswd
require valid-user
</Else>
In addition to the answer of j5Dev:
# Interne IP-Adressen
SetEnvIf Remote_Addr "^127\.0\.0\.1$" IsIntern
SetEnvIf Remote_Addr "^192\.168" IsIntern
# .. add more IP addresses or ranges here
# Authentication, wenn nicht intern
AuthUserFile /path/to/.htpasswd
AuthName "restricted area"
AuthType Basic
require valid-user
Order allow,deny
Allow from env=IsIntern
satisfy any

Resources