.htpasswd on specific subdomain - .htaccess

I have a language specific subdomain that points to the same dir as the root as my site. I use PHP to detect it and show the language.
I wish to set an htpasswd on this subdomain only. Keep in mind that there is no physical directory specific to this subdomain. Therefore the statement will be in the same htaccess as the root of my site.
I need htaccess to do this :
if request is mysubdomain.domain.com
AuthUserFile /www/.htpasswd
AuthName "Locked"
AuthType Basic
Thanks

This should work:
AuthUserFile /www/.htpasswd
AuthName "Locked"
AuthType Basic
Require valid-user
SetEnvIf Host yourdomain.com secure_content
Order Allow,Deny
Allow from all
Deny from env=secure_content
Satisfy Any
I was on the same route as #Anders Lindahl but apparently there is no "not" in SetEnvIf so I had do change it to allow from all and deny the ones with the env-var set.
His solution works too but you have to SetEnv no-auth-required 1 first and then let the !no-auth-required unset it (that's what the ! does)

This is untested, but might work or give you hints on what to lookup in the Apache documentation:
SetEnvIf Host ^mysubdomain.domain.com !no-auth-required
AuthUserFile /www/.htpasswd
AuthName "Locked"
AuthType Basic
Require valid-user
Allow env no-auth-required
Satisfy Any

Related

.htaccess protect symlinked TYPO3 backend

I'm trying to protect an older TYPO3 8.7 backend (/typo3) via an AuthType basic part in the normal TYPO3 .htaccess file.
I always end up with internal server errors.
Has anyone done this before ?
Is it possible that this could not wor with the symlinks ?
I am puting this part of code on top of my .htaccess (before all the rwrite stuff starts):
SetEnvIf Request_URI ^.*/typo3.* require_auth=true
AuthType basic
AuthName "Admin Schutz"
AuthUserFile /usr/etc/.htpasswd
#Order Deny,Allow
#Deny from all
#Satisfy any
Require valid-user
Allow from env=!require_auth
Thanks for any hints!
Assuming that your /usr/etc/.htpasswd file is accessible and valid (created properly with htpasswd command and chmoded to 644) your sample should work for Apache 2.2, but not in Apache 2.4 according to comments in this post. Literally in 2.4 it will work, but will require password also for your root domain.
There are two solutions. First is placing additional .htaccess files in your typo3 directory with simple rule, i.e. as shown by #Naderio:
AuthType basic
AuthName "Secret area!"
AuthUserFile /usr/etc/.htpasswd
require valid-user
Order deny,allow
Deny from all
Satisfy ANY
However, if you created a typo3 symlink to sources as suggested in TYPO3's documentation and/or you don't want to require BasicAuth for all projects which uses the same sources, you can override these settings directly in VHOST configuration like (assuming that you have all your TYPO3 projects i.e. in /www/typo3/ folder:
<VirtualHost *:80>
ServerAdmin your#email.tld
DocumentRoot "/www/typo3/project-x.loc"
ServerName project-x.loc
# below your valid paths for log files...
# ErrorLog "logs/project-x.loc-error_log"
# CustomLog "logs/project-x.loc-access_log" common
<Directory "/www/typo3/project-x.loc">
Options Indexes FollowSymLinks ExecCGI Includes
AllowOverride All
Require all granted
</Directory>
<Directory "/www/typo3/project-x.loc/typo3">
AuthType basic
AuthName "Restricted in VHOST config!"
AuthUserFile /usr/etc/.htpasswd
require valid-user
Order deny,allow
Deny from all
Satisfy ANY
</Directory>
</VirtualHost>
Note: I'd check anyway if the path you are trying to use /usr/etc/ is accessible for Apache at all, maybe it will be better moving your .htpasswd file somewhere closer to your www structure like to folder /www/etc/ and fix the above rules accordingly?
Should work with:
AuthType basic
AuthName "Secret area!"
AuthUserFile /usr/etc/.htpasswd
require valid-user
Order deny,allow
Deny from all
Satisfy ANY
An internal server error is thrown, e.g. if your path to the AuthUserFile isn't correct.
Here i've written down my snippet for my personal public documentation:
https://www.entwicklertools.de/snippet-sammlung/htaccess-snippets/passwortschutz-einrichten/
Thanks to all replies.
finally we also did this in the vhost by the following code using the "location"-tag.
<Location /typo3/>
AuthType Basic
AuthName "Enter Password"
AuthUserFile /www_data/.htpasswd4xyz
Require valid-user
</Location>
In case you can't edit the vhost config,
this line shoud work istead of your SetEnvIf in your .htaccess, intoo:
SetEnvIfNoCase Request_URI ^/typo3/$ require_auth=true

Restrict access to root folder htpasswd except api url

I know that the question has been asked here : htaccess exclude multiple url from Basic Auth but in the answer I didn't find the solution my problem so I reask here.
I want to block access to the root of a project in with htpasswd except for api url (it's not an existing folder but an endpoint controlled by index.php).
So far here is what I use for the htaccess :
<Location />
AuthType Basic
AuthName "Auth Required"
AuthUserFile /home/user/.htpasswd
Require valid-user
SetEnvIf Request_URI "(api|oauth)$" allow
Order allow,deny
Allow from env=allow
Satisfy any
</Location>
=> the htpasswd works but it blocks /api/xxx too.
Can somebody help me to correct that ?
You can use it like this:
SetEnvIf Request_URI "/(api|oauth)(/.*)?$" allow
AuthType Basic
AuthName "Auth Required"
AuthUserFile /home/user/.htpasswd
Require valid-user
Satisfy any
Order deny,allow
Deny from all
Allow from env=allow
Also note that the <Location> directive is not allowed in .htaccess.

.htaccess Condition only apply authentification to staging domain

I'm using the following code to block users on my staging subdomain.
AuthName "PRIVAT"
AuthType Basic
AuthUserFile /var/www/mydomain.com/.htpasswd
require valid-user
Since I'd like to use the same .htaccess for staging and production I'd like to add an condition if HTTP_HOST = staging.mydomain.com so that only the staging environment is password prodected? Is this possible?
Good News: Yes it is possible :-)
Make use of mod_setenvif directive.
SetEnvIfNoCase Host ^staging\.mydomain\.com$ SECURED
AuthName "PRIVAT"
AuthType Basic
AuthUserFile /var/www/mydomain.com/.htpasswd
require valid-user
Satisfy any
Order Allow,Deny
Allow from all
Deny from env=SECURED

Domain specific htpasswd conditions

I am using a wildcard dns system that routes all subdomains through a single web app and sets a userid based on the first part of the URL (X.domain.com where X is the username).
I now want to edit my htaccess file to enable conditional httpauth using htpasswd for specific domains. e.g. if url = password.domain.com the enable httpauth.
I'm sure this is possible but have limited knowledge of htaccess.
You can use SetEnvIf, here's a snippet from this post by Tom Schlick.
#allows a single uri through the .htaccess password protection
SetEnvIf Request_URI "/testing_uri$" test_uri
#allows everything if its on a certain host
SetEnvIf HOST "^testing.yoursite.com" testing_url
SetEnvIf HOST "^yoursite.com" live_url
Order Deny,Allow
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /path/to/your/.htpasswd
AuthGroupFile /
Require valid-user
#Allow valid-user
Deny from all
Allow from env=test_uri
Allow from env=testing_url
Allow from env=live_url
Satisfy any

How to remove .htaccess password protection from a subdirectory

I have password protected my entire website using .htaccess but I would like to expose one of the sub directories so that it can be viewed without a password.
How can I disable htaccess password protection for a sub directory? Specifically what is the .htaccess syntax.
Here is my .htaccess file that is placed in the root of my ftp.
AuthName "Site Administratrion"
AuthUserFile /dir/.htpasswd
AuthGroupFile /dev/null
AuthName secure
AuthType Basic
require user username1
order allow,deny
allow from all
You need to create a new .htaccess file in the required directory and include the Satisfy any directive in it like so, for up to Apache 2.3:
# allows any user to see this directory
Satisfy Any
The syntax changed in Apache 2.4, this has the same effect:
Require all granted
Adding to RageZ's answer, I used this in the Server Directives:
<Directory /var/www/protected/>
AuthType Basic
AuthName "Production"
AuthUserFile /path/to/.htpasswd
Require valid-user
</Directory>
<Directory /var/www/protected/unprotected>
Satisfy Any
</Directory>
Awesome. Thanks RageZ!
Simply create a new .htaccess in the desired subdirectory with this directive:
Allow from all
You can restrict to your IP only with :
Allow from x.x.x.x
See : http://httpd.apache.org/docs/current/mod/mod_access_compat.html
Here is a way to allow subdirectory "foo" through the basic authentication from the main .htaccess file on a site:
AuthType Basic
AuthName "Password Required"
AuthUserFile /dir/.htpasswd
Require expr %{REQUEST_URI} =~ m#^/foo/#
Require valid-user
Note: This works in Apache 2.4. I have not confirmed for earlier versions.
You need to add another .htaccess file to the subdirectory that overrides the authentication. .htaccess cascades upwards, i.e. it will look in the current folder, then go up a level and so on.
If you want to prevent any specific directoty from htaccess authentication then you can use following code in your htaccess file at top.
AuthType Basic
AuthName "Enter Pass"
AuthUserFile /home/public_html/.htpasswd /*PATH TO YOUR .htpasswd FILE*/
Require valid-user
SetEnvIf Request_URI "(/DIRECTORY_NAME/)$" allow
Order allow,deny
Allow from env=allow
Also If you want to prevent multiple directories then
add
SetEnvIf Request_URI "(/DIRECTORY_NAME/)$" allow
as many time as many directories, you want to remove from htaccess prevention.

Resources