I have the following folder structure
domain.com (/public_html/)
sub.domain.com (/public_html/sub/)
sub.domain.com/dir1/ (/public_html/sub/dir1/)
sub.domain.com/dir1/dir2/ (/public_html/sub/dir1/dir2/)
if I put the following in my .htaccess file at any of these directories
DirectoryIndex index.php
require valid-user
<RequireAny>
Require ip x.x.x.x
</RequireAny>
It has no effect when loading any files in these directories.
Additionally if i want multiple require rules to have and/or then it gets a little more complicated for example
# Allowing Access via Password or one of the following IP Addresses
AuthName "Authorized Only"
AuthType Basic
AuthUserFile /home/.htpasswds/.htpasswd
<RequireAll>
require valid-user
<RequireAny>
Require ip x.x.x.x
Require ip y.y.y.y
</RequireAny>
</RequireAll>
Apache did follow these rules set, but switching to litespeed enterprise web server has meant that IP restrictions have been ignored
What am I missing here?
require valid-user
<RequireAny>
Require ip x.x.x.x
</RequireAny>
This would seem to be overkill for Apache 2.4. <RequireAny> is the default container. The above 4 lines is the same as the one-line Require ip x.x.x.x.
However, my experience with LiteSpeed is that it behaves more like an Apache 2.2 server and (annoyingly) silently fails on directives it does not understand (although there might be something logged in the server's error log).
Try the following (Apache 2.2 style) directives instead:
Order Allow,Deny
Allow from x.x.x.x
Related
The below seems to be blocking all visitors, yet if i comment out the specific IP the site loads for everyone.
Its added via security however, is blocking everyone out rather than just the specific IP targeted.
I have contacted our hosts and they claim it's nothing to do with them, but surely it's how they have their Apache configured?
SetEnvIF REMOTE_ADDR "^66\.249\.66\.217$" DenyAccess
SetEnvIF X-FORWARDED-FOR "^66\.249\.66\.217$" DenyAccess
SetEnvIF X-CLUSTER-CLIENT-IP "^66\.249\.66\.217$" DenyAccess
<IfModule mod_authz_core.c>
<RequireAll>
Require all granted
Require not env DenyAccess
Require not ip 66.249.66.217
</RequireAll>
</IfModule>
<IfModule !mod_authz_core.c>
Order allow,deny
Allow from all
Deny from env=DenyAccess
Deny from 66.249.66.217
</IfModule>
The directives seem to work as is.
To debug this, I would first verify, if mod_authz_core is enabled or not.
Based on this, you may check, which of the directives are causing the block, either the environment directive
Require not env DenyAccess
Deny from env=DenyAccess
or the ip directive
Require not ip 66.249.66.217
Deny from 66.249.66.217
If the environment is the culprit, check which of the variables is causing it, by commenting one by one.
I have problem figuring out how create right configuration for apache 2.4 with mod_authz_core specifically with combination of RequireAny/All and Require valid-user.
I need this configuration: web has blocked access from specified countries, but I have list of specific ip address, that have to be whitelisted and have access to web (even from blocked country)
And there is a part of website which require AuthBasic authentication from .htaccess file
First of all, I am trying to migrate old apache configuration from 2.2 to apache 2.4.
Old configuration:
#blocation for specified countries
SetEnvIf GEOIP_COUNTRY_CODE AB BlockCountry
SetEnvIf GEOIP_COUNTRY_CODE AC BlockCountry
SetEnvIf GEOIP_COUNTRY_CODE AD BlockCountry
SetEnvIf GEOIP_COUNTRY_CODE AE BlockCountry
<LocationMatch "/*">
Order deny,allow
deny from .zx
deny from env=BlockCountry
allow from 127.0.0.1
Include "/etc/httpd/conf/permited-xx-ip.include.old"
</LocationMatch>
This work absolutely fine on apache 2.2.
I changed it to this to match new apache 2.4
<LocationMatch "/.*">
<RequireAny>
<RequireAll>
Require all granted
Require not host .xx
Require not env BlockCountry
</RequireAll>
<RequireAny>
Require local
Include "/etc/httpd/conf/permited-xx-ip.include"
</RequireAny>
</RequireAny>
</LocationMatch>
file /etc/httpd/conf/permited-xx-ip.include contains lines:
Require ip x.x.x.x
And this works fine, but problem is when I have directory which has .htaccess with AuthBasic directive, it will not prompt for username/password.
I was checking logs and it seems that the RequireAny/All allow acces without prompting for password.
.htacces file:
AuthName "members"
AuthType Basic
AuthUserFile ./data/.htpasswd
AuthBasicProvider file
Require valid-user
If i comment Require section in apache conf file, it will prompt for user/password.
I also tried old configuration with mod_compat, but the configuration does not work as intended(it will not consider whitelisted ips).
Thanks for reading long post.
Any suggestion ?
I think i figured it out,
The right configuration should look like this:
<Directory /var/www/www-root>
<RequireAny>
<RequireAll>
Require all granted
Require not host .xx
Require not env BlockCountry
</RequireAll>
<RequireAny>
Require local
Include "/etc/httpd/conf/permited-ip.include"
</RequireAny>
</RequireAny>
</Directory>
Plus the configuration for the directory with AuthBasic .htaccess:
<Directory /var/www/www-root/dirwithauthbasic>
<RequireAll>
<RequireAny>
<RequireAll>
Require all granted
Require not host .xx
Require not env BlockCountry
</RequireAll>
<RequireAny>
Require local
Include "/etc/httpd/conf/permited-ip.include"
</RequireAny>
</RequireAny>
Require valid-user
</RequireAll>
</Directory>
sorry for messed format
I am trying to allow Amazon CDN to access the resources on my password-protected staging site (HTTP Basic Authentication).
This is the code I have in the httpd.conf file for it:
NameVirtualHost *:80
<VirtualHost *:80>
ServerName staging.domain.com
DocumentRoot /var/www/html
<Directory "/var/www/html/">
Options Indexes MultiViews FollowSymLinks
AllowOverride all
AuthName "Development Access"
AuthType Basic
AuthUserFile /path/to/password.htpasswd
Require valid-user
SetEnvIf User-Agent "^Amazon.*" cdn
Order allow,deny
Allow from env=cdn
</Directory>
</Virtualhost>
I'm using SetEnvIf to assign a variable if the user agent is Amazon and then just allowing it, but this is not working. Can somebody please help me out with this one?
the problem is that a valid user is required to get to the content, indifferent of the user agent used.
Give this article in the Apache Manual a read, specifically take a look at the RequireAny bit. That allows you to setup the rules with the complexity you require. Your config code would look something like this.
SetEnvIf User-Agent "^Amazon.*" cdn
<RequireAny>
Require valid-user
Require cdn
</RequireAny>
This only works on Apache 2.4 upwards. On 2.2 you can look at this article in the Apache Wiki and specially to the Satisfy Any directive. Hope this helps.
If you have Apache 2 and possibly the requirement to access the resources with HTTP Auth, this has worked for me:
<Directory /var/www/yourwebdirectory>
SetEnvIf User-Agent "^Amazon.*" cdn
AuthUserFile /etc/apache2/.htpasswd.forthissite
AuthType Basic
AuthName "My Files"
Require valid-user
Order allow,deny
Allow from env=cdn
Satisfy Any
</Directory>
I was wondering if it was possible to setup a conditional http basic auth requirement based on the virtual host URL in an .htaccess file.
For example what I want to do is have mysite.com and test.mysite.com run off the same code base in the same directory but password protect test.mysite.com. It would be setup this way so that I wouldn't need to branch my code since my app code can see which vhost/url it's being served from and pick the database to serve content from.
You can sort of kludge this by using mod_setenvif along with the mod_auth modules. Use the SetEnvIfNoCase directive to set which host is password protected. You'll need a couple of extra directives to satisfy access:
# Check for the hostname here
SetEnvIfNoCase HOST ^test\.mysite\.com\.?(:80)?$ PROTECTED_HOST
Then inside the Directory block (or just out in the open) you have your auth stuff setup, something like this:
AuthUserFile /var/www/test.mysite.com/htpasswd
AuthType Basic
AuthName "Password Protected"
Now for the require/satisfy stuff:
Order Deny,Allow
Satisfy any
Deny from all
Require valid-user
Allow from env=!PROTECTED_HOST
This will make it so any host that doesn't match ^test\.mysite\.com\.?(:80)?$ will have access without need for auth (Allow from env=!PROTECTED_HOST) but otherwise, we need a valid user (Require valid-user). The Satisfy any ensures that we just need one of the 2, either the Allow or Require.
I had problems implementing Jon's solution:
Although I am quite familiar with Apache conf and regular expressions, the authentication always fired. From a quick analyzes it looked like the Allow from env=!PROTECTED_HOST line did not kick in.
But I found another solution that actually looks safer to me:
I created two virtual hosts for the two domains pointing to the same document root (which is fully allowed by the way). In one of the vhosts I added the directives for basic auth (directly into the vhost directive block).
Works like a charm. And I have a better feeling that this is really safe - no risk to overlook any details in the regex pattern that would open up the gates for intruders.
<VirtualHost *:80>
ServerName www.mysite.com
DocumentRoot "/path/to/common/doc/root"
<Directory "/path/to/common/doc/root">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName protected.mysite.com
DocumentRoot "/path/to/common/doc/root"
<Directory "/path/to/common/doc/root">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
AuthUserFile /path/to/htpasswd
AuthName "Password please"
AuthType Basic
Require valid-user
</Directory>
</VirtualHost>
Here's a solution similar to what Jon Lin proposed, but using RewriteCond to check the host name:
RewriteEngine On
RewriteCond %{HTTP_HOST} =protected.hostname.com
RewriteRule ^.*$ - [E=DENY:1]
AuthUserFile /path/to/htpasswd
AuthName "Password please"
AuthType Basic
Order Deny,Allow
Satisfy any
Deny from all
Require valid-user
Allow from env=!DENY
I've got several sites: example.com, example1.com, and example2.com. All of them point to my server's /public_html folder, which is my Apache root folder.
What do I need to add to my .htaccess file to use http authentication only if the user is coming from example2.com? example.com and example1.com should NOT use authentication.
I know I need something like
AuthType Basic
AuthName "Password Required"
AuthUserFile "/path/to/.htpasswd"
Require valid-user
But I only want to require a password if the user is visiting example2.com.
Edit
Using an approach suggested in an answer, I have the following in my .htaccess file:
SetEnvIfNoCase Host ^(.*)$ testauth
<IfDefine testauth>
RewriteRule ^(.*)$ index2.php?q=$1 [L,QSA]
</IfDefine>
I know that the mod_setenvif.c module is enabled (I verified with an <IfModule> block), but it would appear that "testauth" is never getting defined, because my test to verify (redirecting to index2.php) is not executing (whereas it was getting executed in my <IfModule> block). Any ideas why?
How about something along the lines of this in the htaccess file in the document root:
# set the "require_auth" var if Host ends with "example2.com"
SetEnvIfNoCase Host example2\.com$ require_auth=true
# Auth stuff
AuthUserFile /var/www/htpasswd
AuthName "Password Protected"
AuthType Basic
# Setup a deny/allow
Order Deny,Allow
# Deny from everyone
Deny from all
# except if either of these are satisfied
Satisfy any
# 1. a valid authenticated user
Require valid-user
# or 2. the "require_auth" var is NOT set
Allow from env=!require_auth
This will make it so authentication is not required unless the host ends with example2.com (e.g. www.example2.com, dev.example2.com, etc). The expression can be tweaked if needed. Any other host will cause the require_auth var not to get set so authentication is not required. If this needs to be the other way around, the last line could be changed to: Allow from env=require_auth, removing the !.
Apache 2.4 offers a semantic alternative with the If directive:
<If "req('Host') == 'example2.com'">
AuthUserFile /path/to/htpasswd
AuthType Basic
AuthName "Password Protected"
Require valid-user
</If>
<Else>
Require all granted
</Else>
Here is one recommendation:
Create a file called common.conf and save in an accessible location
In this file place the Apache configuration common to all sites (hosts).
The remove the current single VirtualHost entry an replace with VirtualHost entries as follows:
# These are the password protected hosts
<VirtualHost *:80>
ServerName example.com
ServerAlias example1.com
Include /path-to-common-configuration/common.conf
AuthType Basic
AuthName "Password Required"
AuthUserFile "/path/to/.htpasswd"
Require valid-user
</VirtualHost>
# These are hosts not requiring authentication
<VirtualHost *:80>
ServerName example2.com
ServerAlias example3.com
Include /path-to-common-configuration/common.conf
</VirtualHost>
I wonder if DanH would be helped by an approach that allows access per IP address?
Something like
SetEnvIf Remote_Addr 1\.2\.3\.4 AllowMeIn
SetEnvIfNoCase Host this\.host\.is\.ok\.com AllowMeIn
SetEnvIfNoCase Host this\.host\.is\.also\.ok\.com AllowMeIn
and then in your Drupal "container"
Order Allow,Deny
Allow from env=AllowMeIn
should do the trick.
Any host that is "live" should be configured to "AllowMeIn", or else you have to come from a known IP address (ie you and other developers).
You shouldn't be putting per-vhost configuration into .htaccess. Instead, put the config block in the VirtualHost block in the proper config file in /etc/apache/sites-enabled/*.