I'm trying to password protect a directory except from requests that come from localhost.
My .htaccess looks like this:
AuthName "Login"
AuthType Basic
AuthUserFile /PATH/.htpasswd
Require valid-user
Allow from 127.0.0.1
Allow from ::1
Satisfy Any
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php/$1 [L]
ErrorDocument 404 /index.php
If I remove Allow and Satisfy statements the directory gets correctly protected. When I add the Allow (one or both) and Satisfy Any it generates a 500 error. The log says:
/PATH/.htaccess: allow not allowed here
Any clues?
If you you have access to server conf files, check for: AllowOverride See for what directives are allowed.
AllowOverride All
will allow all directives.
For more visit: AllowOverride Directive Apache Docs
Related
I'd like my users to go to
red.example.com
and what they actually see is a page served up from
blue.example.com/red
Is this possible using .htaccess? Essentially it's a redirect, but I don't want to have the URL change in the address bar.
Edit
Adding virtual host info.
RewriteEngine On
RewriteRule /<none> / [L,R]
<IfDefine USE_PHP_FPM>
<Proxy "unix:/opt/bitnami/php/var/run/wordpress.sock|fcgi://wordpress-fpm" timeout=300>
</Proxy>
</IfDefine>
<Directory "/opt/bitnami/apps/wordpress/htdocs">
AuthType Basic
AuthName Coincurve
AuthUserFile "/opt/bitnami/apache2/wordpress_users"
Require valid-user
Options +MultiViews +FollowSymLinks
AllowOverride None
<IfVersion < 2.3 >
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.3>
# Require all granted
</IfVersion>
<IfDefine USE_PHP_FPM>
<FilesMatch \.php$>
SetHandler "proxy:fcgi://wordpress-fpm"
</FilesMatch>
</IfDefine>
RewriteEngine On
#RewriteBase /wordpress/
RewriteRule ^index\.php$ - [S=1]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
Include "/opt/bitnami/apps/wordpress/conf/banner.conf"
</Directory>
Include "/opt/bitnami/apps/wordpress/conf/htaccess.conf"
I've only got one actual server at mydomain.com. the red and blue subdomains are just both pointing to that mydomain.com's IP address.
If the subdomains are all pointing to the same place (the root of the main domain) then you probably don't need to "redirect" to a different hostname (that would involve the use of mod_proxy and configuring a reverse proxy). In other words blue.example.com/red points to the same as red.example.com/red - so it becomes a relatively simple internal rewrite.
(Although your vhost config is incomplete, I assume you have some ServerAlias directives in there somewhere?)
For example:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^red\.example\.com [NC]
RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteRule ^ /red%{REQUEST_URI} [L]
The check against the REDIRECT_STATUS environment variable is to ensure we only rewrite the initial request from the client, ie. not rewritten requests, thus avoiding a rewrite loop. REDIRECT_STATUS is empty initially and set to "200" after the first successful rewrite. Otherwise, this unconditionally rewrites everything, so it's possible to have a /red subdirectory inside the root /red directory if you wished.
I am trying to restrict access to my Laravel 5.3 app with Apache.
My app is available internally but receives post backs from various external sources. There is a port forward set up with NAT disabled so I can tell internal from external requests.
All URL's should show a 403 except if example.com/api/external/... is the URL. I have the following htaccess (default for Laravel 5.3)
<IfModule mod_rewrite.c>
<IfModule mod_negotiation.c>
Options -MultiViews
</IfModule>
RewriteEngine On
# Redirect Trailing Slashes If Not A Folder...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/$ /$1 [L,R=301]
# Handle Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
# Handle Authorization Header
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
my vhost config
<Directory /var/www/mailer/public/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
<Location />
Order deny,allow
deny from all
allow from 10.64.1.0/24
allow from 10.64.20.0/24
</Location>
<Location /api/external/smsPost>
Allow from all
</Location>
Whenever I access any URL from an external address I still get the 403 even on the allowed location.
You don't have permission to access /index.php on this server.
I think because it has /index.php even on example.com/api/external/smsPost that it is an issue with htaccess and the location directive not working for this purpose. Is there any way I can achieve what I need with this directive?
Many thanks.
Why don't you use a laravel middleware and bind it to your restricted routes?
public function handle($request, Closure $next)
{
if(Route::getCurrentRoute()->getPath() == "api/external/")
return response('You don't have permission to access /index.php on this server.', 403);
// return the $next closure, so other Middlewares can run
return $next($request);
}
I have a directory memories and there is a subdirectory in it /memories/application/controllers/admin.
I want to protect admin directory using .htaccess and .htpasswd.
This is my .htaccess
<IfModule mod_rewrite.c>
RewriteEngine On
AuthUserFile /var/www/memories/application/controllers/admin/.htpasswd
AuthType Basic
AuthName "memories with mom"
Require admin
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?/$1 [L]
</IfModule>
<IfModule !mod_rewrite.c>
ErrorDocument 404 /index.php
</IfModule>
# Various security things
ServerSignature off
php_value expose_php Off
php_value session.cookie_httponly On
Options -Indexes
ErrorDocument 403 /404.php
But it is protecting the whole parent directory, whereas I only want the subdirectory admin to be protected. My .htpasswd is also in admin folder.
If you only want the subdirectory admin protected by the .htpasswd file then only put the auth specific htaccess code in that subdirectory and not the .htaccess for the whole site.
/var/www/memories/application/controllers/admin/.htaccess should only be
AuthUserFile /var/www/memories/application/controllers/admin/.htpasswd
AuthType Basic
AuthName "memories with mom"
Require admin
and remove the above code from your main .htaccess
I need to setup .htaccess rules in order to protect admin controller in CodeIgniter.
In .htaccess already have rules for friendly URLs like this:
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?/$1 [L]
How to add additional rules to protect all under /admin/ folder (controller) with Digest authentication?
I have tried various combinations but none works correct. Here are some rules which I tried just to get clues what I'm looking for:
# set an environtment variable "doauth" if the request starts with "/admin/"
SetEnvIf Request_URI ^/admin/ doauth=1
AuthType Digest
AuthName "Admin Protected Area"
AuthUserFile /hta/.htdigest
# Here is where we allow/deny
Order Allow,Deny
Allow from all
Require valid-user
Deny from env=doauth
Satisfy any
Try this code for controlling access to your admin controller:
SetEnvIfNoCase Request_URI "^/admin/" doauth
AuthType Digest
AuthName "Admin Protected Area"
AuthUserFile /hta/.htdigest
Require valid-user
Satisfy any
Order allow,deny
Allow from all
Deny from env=doauth
Despite a good deal of searching here I haven't been able to find the solution to this problem.
I have an .htaccess file that is protecting a Wordpress site that I am developing. I would like to protect the entire site except for the directory /images/, but I can't work out how to do this. At the moment my .htaccess file, in the root of the site, looks like this:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
# basic password protection
<IfModule mod_authn_file.c>
AuthUserFile /home/*****/.htpasswd
AuthName "Username and password required"
AuthType Basic
<Limit GET POST>
Require valid-user
</Limit>
</IfModule>
Could someone help me to amend this to allow open access to the /images/ directory?
Thanks,
Nick
You can create a new .htaccess-file in the /images/-directory:
Order Deny,Allow
Allow from all
Satisfy any
This should remove the password protection for this folder.