CodeIgniter protect admin controller with .htaccess - .htaccess

I need to setup .htaccess rules in order to protect admin controller in CodeIgniter.
In .htaccess already have rules for friendly URLs like this:
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?/$1 [L]
How to add additional rules to protect all under /admin/ folder (controller) with Digest authentication?
I have tried various combinations but none works correct. Here are some rules which I tried just to get clues what I'm looking for:
# set an environtment variable "doauth" if the request starts with "/admin/"
SetEnvIf Request_URI ^/admin/ doauth=1
AuthType Digest
AuthName "Admin Protected Area"
AuthUserFile /hta/.htdigest
# Here is where we allow/deny
Order Allow,Deny
Allow from all
Require valid-user
Deny from env=doauth
Satisfy any

Try this code for controlling access to your admin controller:
SetEnvIfNoCase Request_URI "^/admin/" doauth
AuthType Digest
AuthName "Admin Protected Area"
AuthUserFile /hta/.htdigest
Require valid-user
Satisfy any
Order allow,deny
Allow from all
Deny from env=doauth

Related

Can't password protect specific url in CodeIgniter

I need to protect a specific route/url with password on my codeigniter site.
Base url looks like this:
https://staging.mysite.com/site-name
I want to protect this url with a password using .htaccess
https://staging.mysite.com/site-name/export
Routes looks like this
$route['export']['get'] = 'ExportController/index';
$route['export']['post'] = 'ExportController/export';
I've tried many different answers for similar problems but I just can't get it to work properly,
either password is asked everywhere, or it isnt asked at all.
Here is my .htaccess
RewriteEngine on
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php/$1 [L,QSA]
</IfModule>
SetEnvIfNoCase Request_URI ^/export SECURED
AuthName "Restricted Area"
AuthType Basic
AuthUserFile "/home/something/path/to/.htpasswd"
AuthGroupFile /
Require valid-user
Satisfy any
Order Allow,Deny
Allow from all
Deny from env=SECURED
I think that the problem might be in this part:
SetEnvIfNoCase Request_URI ^/export SECURED
Because I just cant target the url I want, here is some other things I've tried
SetEnvIfNoCase Request_URI ^/site-name/export SECURED
SetEnvIfNoCase Request_URI "^/site-name/export" SECURED
SetEnvIfNoCase Request_URI "^/export" SECURED
SetEnvIfNoCase Request_URI ^(.*)/export SECURED
SetEnvIfNoCase Request_URI .*/export$ SECURED
SetEnvIfNoCase Request_URI .*/export SECURED
Edit:
I've also tried to protect the entire ExportController with like this, password prompt does not appear anywhere.
<Files ExportController>
AuthName "ExportController"
AuthType Basic
AuthUserFile "/home/something/path/to/.htpasswd"
require valid-user
</Files>
I ended up doing this:
<If "%{THE_REQUEST} =~ m#^GET /site-name/export#">
AuthType Basic
AuthName "Password Required"
AuthUserFile /home/path/to/.htpasswd
Require valid-user
</If>
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php/$1 [L,QSA]
</IfModule>

Password Protection with htaccess with Yii Framework

I'm trying to protect my website with a username and password.
This is my .htaccess before adding the Password Protection
RewriteEngine on
# if a directory or a file exists, use it directly
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
# otherwise forward it to index.php
RewriteRule . index.php
I have added the following code at the end of the file
AuthType Basic
AuthName "Password Protected Area"
AuthUserFile .htpasswd
Require valid-user
So my .htaccess is currently
RewriteEngine on
# if a directory or a file exists, use it directly
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
# otherwise forward it to index.php
RewriteRule . index.php
AuthType Basic
AuthName "Password Protected Area"
AuthUserFile .htpasswd
Require valid-user
The password protection is working fine, but the website returns Internal Error 500
Why is the Password Protection cancels the RewriteEngine part? please advise.
I have added the full-path for the ".htpasswd" to solve the issue
AuthUserFile "/home/folder/folder/.htpasswd"

Protect subdirectory with .htaccess and .htpasswd

I have a directory memories and there is a subdirectory in it /memories/application/controllers/admin.
I want to protect admin directory using .htaccess and .htpasswd.
This is my .htaccess
<IfModule mod_rewrite.c>
RewriteEngine On
AuthUserFile /var/www/memories/application/controllers/admin/.htpasswd
AuthType Basic
AuthName "memories with mom"
Require admin
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?/$1 [L]
</IfModule>
<IfModule !mod_rewrite.c>
ErrorDocument 404 /index.php
</IfModule>
# Various security things
ServerSignature off
php_value expose_php Off
php_value session.cookie_httponly On
Options -Indexes
ErrorDocument 403 /404.php
But it is protecting the whole parent directory, whereas I only want the subdirectory admin to be protected. My .htpasswd is also in admin folder.
If you only want the subdirectory admin protected by the .htpasswd file then only put the auth specific htaccess code in that subdirectory and not the .htaccess for the whole site.
/var/www/memories/application/controllers/admin/.htaccess should only be
AuthUserFile /var/www/memories/application/controllers/admin/.htpasswd
AuthType Basic
AuthName "memories with mom"
Require admin
and remove the above code from your main .htaccess

Excluding single directory under protected Wordpress site from htpasswd protection

Despite a good deal of searching here I haven't been able to find the solution to this problem.
I have an .htaccess file that is protecting a Wordpress site that I am developing. I would like to protect the entire site except for the directory /images/, but I can't work out how to do this. At the moment my .htaccess file, in the root of the site, looks like this:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
# basic password protection
<IfModule mod_authn_file.c>
AuthUserFile /home/*****/.htpasswd
AuthName "Username and password required"
AuthType Basic
<Limit GET POST>
Require valid-user
</Limit>
</IfModule>
Could someone help me to amend this to allow open access to the /images/ directory?
Thanks,
Nick
You can create a new .htaccess-file in the /images/-directory:
Order Deny,Allow
Allow from all
Satisfy any
This should remove the password protection for this folder.

.htaccess Require valid-user [except from localhost]

I'm trying to password protect a directory except from requests that come from localhost.
My .htaccess looks like this:
AuthName "Login"
AuthType Basic
AuthUserFile /PATH/.htpasswd
Require valid-user
Allow from 127.0.0.1
Allow from ::1
Satisfy Any
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php/$1 [L]
ErrorDocument 404 /index.php
If I remove Allow and Satisfy statements the directory gets correctly protected. When I add the Allow (one or both) and Satisfy Any it generates a 500 error. The log says:
/PATH/.htaccess: allow not allowed here
Any clues?
If you you have access to server conf files, check for: AllowOverride See for what directives are allowed.
AllowOverride All
will allow all directives.
For more visit: AllowOverride Directive Apache Docs

Resources