htaccess - using password OR ip whitelist - .htaccess

So I want to restrict access to a url. Now if they are coming from a given IP address then they shouldn't be prompted for a password. If they are not coming from a givin IP address then they should be prompted for a password.
so a either or of:
AuthUserFile /some/path/.htpasswd
AuthName "Please Log In"
AuthType Basic
require valid-user
and:
order deny,allow
deny from all
allow from x.x.x.x

You can use the Apache "Satisfy" directive.
Here is an example of using it :
AuthType Basic
AuthName "Please Log In"
AuthUserFile /some/path/.htpasswd
Require valid-user
Order deny,allow
Deny from all
Allow from 127.0.0.1
Satisfy any
Access without password is only allowed from 127.0.0.1.
Hope this helps.

With Apache 2.4 Satisfy is still available, but deprecated
Note
The directives provided by mod_access_compat have been deprecated by mod_authz_host. Mixing old directives like Order, Allow or Deny with new ones like Require is technically possible but discouraged. This module was created to support configurations containing only old directives to facilitate the 2.4 upgrade. Please check the upgrading guide for more information.
In your case Allow from 1.2.3.4 is replaced by Require ip 1.2.3.4
Combining several Requires (like Require valid-user and Require ip) can be done by Authorization Containers. So saying the client must either provide a password or come from a specific IP address, would be done by surrounding the directives with RequireAny, e.g.
<RequireAny>
Require valid-user
Require ip 1.2.3.4
</RequireAny>
Although, this is a special case as described at the end of Require
When multiple Require directives are used in a single configuration section and are not contained in another authorization directive like <RequireAll>, they are implicitly contained within a <RequireAny> directive. Thus the first one to authorize a user authorizes the entire request, and subsequent Require directives are ignored.
In other words, RequireAny is optional here, and you can just list
Require valid-user
Require ip 1.2.3.4

This workes perfect for me:
AuthType Basic
AuthName "myserver publicname"
AuthUserFile "/myserverpath/.htpasswds/public/passwd"
require ip 100.12.255.233
require valid-user
Note:
Just placed 'require ip' with 'my example ip' before 'require valid-user' and it does the trick. I can log in from my ip without password requested, but if I access from other locations or my mobile devices I need the password.
To set 'Satisfy any' was NOT GOOD FOR ME (!), because it disabled other .htaccess settings in lower hierarchy of my app and made my site insecure.

Related

Excluse specific IPs from Website with .htaccess restriction

I want to grant public access to a hosted Website (nginx) and exclude a specific IP-Address range (123.456) from accessing it.
To say it simple: Every access from the IP-Range 123.456 should be restricted by promting for Username/Password. Thats what I want to have.
Here my .htaccess.
AuthType Basic
AuthName "Go away!"
AuthUserFile /home/www/path-to-my/.htpasswd
Require valid-user
Order Allow,Deny
Allow from all
Deny from 123.456
Satisfy any
What I get when I am using it:
Public access successful
Access from the excluded IP-Range = Timeout
As fas as I know .htaccess files are only for apache web server and not nginx.
Yo'll need to convert the rules with a converter or do it yourself.
In your case:
# nginx configuration
auth_basic "Go away!";
auth_basic_user_file /home/www/path-to-my/.htpasswd;
deny 123.456;
satisfy any;
The configuration directives are quite similar, but they are different.

how to change a website available only for admin

i have a website that need to be unavailable for public.
I cannot test my website locally because lot of contents are depend on databases and images.
At present i am using .htaccess to deny all the people,bots and allow my ip address to use the site. What happens i have a dial-up ADSL modem and my ISP connection is frequently disconnecting. So i need to change the allowed IP address in htaccess frequently.This is terrible.
Is there any other way to overcome this situation. I saw an article to make the site password protected. is it okay or what should i do to overcome this terrible scenario.
Thanks
Yes, password protecting is fine. Follow this guide: http://httpd.apache.org/docs/2.2/howto/auth.html
You need to create an htpasswd file, essentially the file that holds your username and password. If you don't have shell access on your hosting plan, you can go to an online generator and create the file locally and upload it to your hosting site (don't put it in your document root).
Then add this to your htaccess file:
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /usr/local/apache/passwd/passwords
Require valid-user
You can also whitelist IPs like you did before but you need to add this line:
Satisfy Any
So that your Allow from 123.45.67.89 lines is sufficient and don't need to log in from that IP.

Using "Allow From" in the .htaccess file - what IP to enter?

this is my htaccess file:
AuthType Basic
AuthName “Sorry, Restricted Area!”
AuthUserFile /path/to/your/.htpasswd
Require valid-user
Allow from 123.45.67.890
Satisfy Any
My question is about the Allow from line ... the IP I give here is the callers IP, isnt it? This htaccess file is on my server which has 123.45.67.890 as IP, but as soon as I activate this htaccess, I can call the website it protects from anywhere, not just from the server itself, which is the plan. I call it like this: http://123.45.67.890/website ... question is, why can I call it from any computer even though it has the IP restriction? The site should onlybe called from the server itself.
Thanks :)
Because you need to deny from all first:
order deny,allow
deny from all
allow from 888.888.888.888

How do I use htaccess to limit access to entries?

I need to password protect a couple of entries on a site. It is easy to do at the template level but this is at the entry level. I am running Expression Engine.
I tried setting up an htaccess file but it is not yet effective.
It is like this:
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /home/server/.htpasswds/.htpasswd
AuthGroupFile /dev/null
<Files template_group/entry_name>
require valid-user
</Files>
Where template_group is the name of the actual template_group and entry_name is the actual name of the entry.
Any assistance will be appreciated.
Thanks.
While ExpressionEngine provides its own means for Template Access Restriction to password-protect pages and templates — including handling .htaccess Apache Basic HTTP Authentication — there are situations where you might not want to, or are unable, to use it:
For example, the Freelancer Version of ExpressionEngine doesn't include the Member Management Module, so the Template Preferences Manager doesn't offer Access Restrictions.
Also, if you elect to use ExpressionEngine's HTTP Authentication, only users with member accounts [in ExpressionEngine] will be able to login, since EE uses its local member database for authentication.
If you're the DIY type, you can modify your httpd.conf to limit and password-protect access to ExpressionEngine pages, entries and templates.
This technique works by:
Editing Apache's httpd.conf
Creating .htpasswd or .htgroup files
Specifying the URL(s) to Protect
Note: Since we are attempting to match objects at the URL level and not the physical filesystem, we must use a <Location> or <LocationMatch> directive1.
Put the following in your server's httpd.conf or vhost.conf file:
<LocationMatch "^/private">
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /path/to/website/.htpasswd
AuthGroupFile /dev/null
Require valid-user
</LocationMatch>
Be sure to change the values of the directive to your liking and your hosting environment.
If you haven't already, create the .htpasswd password file to encrypt the desired passwords, either using the command line or an Online .htaccess Password Generator:
htpasswd -c /path/to/website/.htpasswd username
If the htpasswd command is not in your Unix path, you'll have to type the full path to the file to get it to run. On my server, it would be:
/usr/sbin/htpasswd -c /path/to/website/.htpasswd username
Then, htpasswd will ask you for the user's password, and ask you to type it again to confirm:
# htpasswd -c /path/to/website/.htpasswd username
New password: changeme
Re-type new password: changeme
Adding password for user username
With everything in place and working, any request to /private* will be handled by Apache before it's routed to ExpressionEngine.
Voilà — Apache password-protected directories working in harmony with ExpressionEngine (or any CMS really, such as WordPress, MovableType or TextPattern).
The context of the <Location> directive specifies that it can only be used in server config and virtual host configuration files. This means we can't put the rules in a .htaccess file, otherwise Apache will throw a 500 Internal Server Error with the description "Location not allowed here".
If you are attempting to match objects at the URL level, you must use <Location>
If you are attempting to match objects at the filesystem level, you must use <Directory> and/or <Files>
I answered two similar questions on this subject that may be of benefit to you.
Nevertheless, there are several ways to password-protect pages in an ExpressionEngine site:
Template Preferences Manager
Conditional Global Variables
Third-Party Add-Ons
By far the easiest solution to your situation is to use the built-in Template Preferences Manager in the ExpressionEngine Control Panel and assign the "private" entries to a template that requires authentication.
A third-party add-on such as Entry Access by Yuri Salimovskiy of IntoEEtive may aide in your benefit. Entry Access enables you to restrict front-end access to certain channel entries for certain members or member group.

How secure is htaccess authentication

I need to protect a clients CMS with a username and password, only one username is needed. I was going to use htaccess because its so quick to add.
I'll be adding it using the password directories feature in WHM which stores the passwords here:
AuthUserFile "/home/username/.htpasswds/public_html/cms/passwd"
How secure is this? Are there ways to get into folders such as .htpasswds?
Straight from Apache's documentation
The most common method is Basic, and this is the method implemented by mod_auth_basic. It is important to be aware, however, that Basic authentication sends the password from the client to the server unencrypted. This method should therefore not be used for highly sensitive data, unless accompanied by mod_ssl. Apache supports one other authentication method: AuthType Digest. This method is implemented by mod_auth_digest and is much more secure. Most recent browsers support Digest authentication.
Please read the rest HERE
Please read the comments, things have changed since 2011. Good catch #reve_etrange
You should deny access to the folder that contains passwd files
<Directory /home/*>
Order allow,deny
Deny from all
Satisfy all
</Directory>
also don't forget that http traffic can be captured, so it won't suit for financial transactions.
As long as you set up the proper restrictions in your httpd.conf file to block external requests for .htaccess, and .htpasswd you should be okay.
You can block external requests (in Apache) with the following directives:
# The following code hides .htaccess and .htpasswd files from sites visitors.
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>

Resources