How can I deny access to a complete folder and sub-folders, with the exception of one file?
That file is: toon.php and resides in the same folder.
Order Allow,Deny
<FilesMatch "^toon\.php$">
Allow from all
</FilesMatch>
That is probably the most efficient that you can get.
AuthGroupFile /dev/null
AuthName "Private Area"
AuthType Basic
AuthUserFile .htpasswd
require valid-user
<Files "toon.php">
Allow from all
Satisfy Any
</Files>
Works for me. Dont' forget to configure the .htpasswd file.
Deny From All
<FilesMatch "^toon\.php$">
Allow From All
</FilesMatch>
Worked for me...
You may want to use the <Directory> and <Files> directives. You can look at the documentation here:
http://httpd.apache.org/docs/1.3/mod/core.html#directory
http://httpd.apache.org/docs/1.3/mod/core.html#files
In short, you want something like this:
<Directory /folder/without/access >
Order Deny,Allow
Deny from All
</Directory>
<Files "filename">
Order Deny,Allow
Allow from All
</Files>
If, like me, you're looking for a way to have authentication on an entire site/folder except for a single file, you will find that this method is working very well:
#allows a single uri through the .htaccess password protection
SetEnvIf Request_URI "/testing_uri$" test_uri
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /path/to/your/.htpasswd
AuthGroupFile /
Require valid-user
#Allow valid-user
Deny from all
Allow from env=test_uri
Satisfy any
Example taken from : this site
Add the following rule to htaccess file in root
RewriteEngine on
RewriteRule !toon\.php$ - [F]
This will deny access to all files and folders except toon.php .
There is a related scenario in WordPress admin where you may want to limit the access to specific IPs, but leave access for some specific files used by plugins:
## /wp-admin/.htaccess ##
Deny from all
allow from 88.222.123.88 #Home
allow from 88.111.211.77 #Office
<Files "admin-ajax.php">
Allow from All
</Files>
WordPress-specific configuration for Private Area using HTTP password:
AuthName "Private Area"
AuthType Basic
AuthUserFile .htpasswd
require valid-user
<Files "admin-ajax.php">
Allow from all
Satisfy Any
</Files>
Related
I'm trying to protect an older TYPO3 8.7 backend (/typo3) via an AuthType basic part in the normal TYPO3 .htaccess file.
I always end up with internal server errors.
Has anyone done this before ?
Is it possible that this could not wor with the symlinks ?
I am puting this part of code on top of my .htaccess (before all the rwrite stuff starts):
SetEnvIf Request_URI ^.*/typo3.* require_auth=true
AuthType basic
AuthName "Admin Schutz"
AuthUserFile /usr/etc/.htpasswd
#Order Deny,Allow
#Deny from all
#Satisfy any
Require valid-user
Allow from env=!require_auth
Thanks for any hints!
Assuming that your /usr/etc/.htpasswd file is accessible and valid (created properly with htpasswd command and chmoded to 644) your sample should work for Apache 2.2, but not in Apache 2.4 according to comments in this post. Literally in 2.4 it will work, but will require password also for your root domain.
There are two solutions. First is placing additional .htaccess files in your typo3 directory with simple rule, i.e. as shown by #Naderio:
AuthType basic
AuthName "Secret area!"
AuthUserFile /usr/etc/.htpasswd
require valid-user
Order deny,allow
Deny from all
Satisfy ANY
However, if you created a typo3 symlink to sources as suggested in TYPO3's documentation and/or you don't want to require BasicAuth for all projects which uses the same sources, you can override these settings directly in VHOST configuration like (assuming that you have all your TYPO3 projects i.e. in /www/typo3/ folder:
<VirtualHost *:80>
ServerAdmin your#email.tld
DocumentRoot "/www/typo3/project-x.loc"
ServerName project-x.loc
# below your valid paths for log files...
# ErrorLog "logs/project-x.loc-error_log"
# CustomLog "logs/project-x.loc-access_log" common
<Directory "/www/typo3/project-x.loc">
Options Indexes FollowSymLinks ExecCGI Includes
AllowOverride All
Require all granted
</Directory>
<Directory "/www/typo3/project-x.loc/typo3">
AuthType basic
AuthName "Restricted in VHOST config!"
AuthUserFile /usr/etc/.htpasswd
require valid-user
Order deny,allow
Deny from all
Satisfy ANY
</Directory>
</VirtualHost>
Note: I'd check anyway if the path you are trying to use /usr/etc/ is accessible for Apache at all, maybe it will be better moving your .htpasswd file somewhere closer to your www structure like to folder /www/etc/ and fix the above rules accordingly?
Should work with:
AuthType basic
AuthName "Secret area!"
AuthUserFile /usr/etc/.htpasswd
require valid-user
Order deny,allow
Deny from all
Satisfy ANY
An internal server error is thrown, e.g. if your path to the AuthUserFile isn't correct.
Here i've written down my snippet for my personal public documentation:
https://www.entwicklertools.de/snippet-sammlung/htaccess-snippets/passwortschutz-einrichten/
Thanks to all replies.
finally we also did this in the vhost by the following code using the "location"-tag.
<Location /typo3/>
AuthType Basic
AuthName "Enter Password"
AuthUserFile /www_data/.htpasswd4xyz
Require valid-user
</Location>
In case you can't edit the vhost config,
this line shoud work istead of your SetEnvIf in your .htaccess, intoo:
SetEnvIfNoCase Request_URI ^/typo3/$ require_auth=true
I know that the question has been asked here : htaccess exclude multiple url from Basic Auth but in the answer I didn't find the solution my problem so I reask here.
I want to block access to the root of a project in with htpasswd except for api url (it's not an existing folder but an endpoint controlled by index.php).
So far here is what I use for the htaccess :
<Location />
AuthType Basic
AuthName "Auth Required"
AuthUserFile /home/user/.htpasswd
Require valid-user
SetEnvIf Request_URI "(api|oauth)$" allow
Order allow,deny
Allow from env=allow
Satisfy any
</Location>
=> the htpasswd works but it blocks /api/xxx too.
Can somebody help me to correct that ?
You can use it like this:
SetEnvIf Request_URI "/(api|oauth)(/.*)?$" allow
AuthType Basic
AuthName "Auth Required"
AuthUserFile /home/user/.htpasswd
Require valid-user
Satisfy any
Order deny,allow
Deny from all
Allow from env=allow
Also note that the <Location> directive is not allowed in .htaccess.
I have a huge emergency here after upgrading main site to drupal 8 all my scripts in subfolders became unusable. I have following structure:
public_html
--subfolder
--subsubfolder
.htaccess -- custom file
certificate.php
index.php
.htaccess -- main Drupal8 htaccess
the custom file looks like this:
AuthType Basic
AuthName "SWARL Certificates generator"
AuthUserFile "/home/user/passwd"
require valid-user
<Files "^certificate\.php">
Allow from all
Satisfy Any
</Files>
Everything was working with drupal6 but not with drupal 8 Security is good, but how to properly setup free access to certificate.php and password protect intex.php?
weird enough the following works:
RewriteEngine On
RewriteRule !certificate.php - [F]
<Files "certificate.php">
Order Allow,Deny
Allow from all
Satisfy Any
</Files>
AuthType Basic
AuthName "SWARL Certificates generator"
AuthUserFile "/home/user/passwd"
require valid-user
I just placed both solutions simultaneously and removed slash before dot
Currently I have .htaccess to require user auth in order to proceed.
I'm trying to find a solution to restrict users from navigating to other /directory/ than the one assigned to their username (haven't figured out how to do it, yet).
AuthType Basic
AuthName "Welcome!"
AuthUserFile /home/public_html/.htpasswd
Require valid-user
Order Deny,Allow
Deny from all
Allow from xxx.xxx.xxx.xxx
Satisfy Any
<FilesMatch "^.(htaccess|htpasswd)$">
Order Allow,Deny
Deny from all
</FilesMatch>
Any ideas?
Thank you!
you can simply do like : create a .htaccess file
AuthName "Username and password required"
AuthUserFile /home/path/.htpasswd
AuthType Basic
Require valid-user
Order Allow,Deny
Deny from all
Allow from X.X.X.X/16
Satisfy Any
if you have multiple file of .htpasswd then you can give multiple entry in .htaccess file like
AuthUserFile /home/will/.htpasswd
AuthUserFile /home/jone/.htpasswd
or
create .htaccess file and put in directory that you want to allow . if you want to allow multiple directory then copy that .htaccess file in all directory . if you want deferent user can access different directory then edit .htaccess file of that particular directory . i think it will work for you . for more info here
I have the following code for authentication where if the url is is not index.html, display the authenticatio form
<files "(?!index.html)">
AuthUserFile C:/wamp/www/eyedream/trunk/www/.htpasswd
AuthName "Please login"
AuthType Basic
Require valid-user
</files>
How can I specify if the file is not index.html,display the authentication box?
You can't use the Auth directives inside a <Files> block, it's got to be inside a <Directory> or in an .htaccess file. You can set an environment variable and use Satisfy Any to bypass the authentication for certain requests though:
SetEnvIfNoCase Request_URI ^/index.html$ norequire_auth=true
SetEnvIfNoCase Request_URI ^/$ norequire_auth=true
# Auth stuff
AuthUserFile C:/wamp/www/eyedream/trunk/www/.htpasswd
AuthName "Please login"
AuthType Basic
# Setup a deny/allow
Order Deny,Allow
# Deny from everyone
Deny from all
# except if either of these are satisfied
Satisfy any
# 1. a valid authenticated user
Require valid-user
# or 2. the "require_auth" var is NOT set
Allow from env=norequire_auth