I have a site (running on a framework, so folders are virtual) with access blocked via .htaccess/.htpasswd, but I want to permit public access to one folder/file. I've tried all of the solutions suggested elsewhere but so far nothing has worked.
Here's the basic .htaccess contents:
AuthUserFile /var/www/vhosts/mysite.com/.htpasswd
AuthName "MySite Restricted Area"
AuthType Basic
Require valid-user
I want to allow access to the URL /api/user/create. I have tried the following variations, all to no effect:
<Files "create">
Allow from all
</Files>
<FilesMatch create$>
Allow from all
</FilesMatch>
SetEnvIf Request_URI "create" allow
Deny from all
Allow from env=allow
It seems like the filename create isn't recognised as a valid file, but I have no idea why the last one doesn't work. :(
The problem is you are using virtual folders. <Files *> only takes effect for files on the disk. You should use the <Location> directive instead.
https://httpd.apache.org/docs/2.4/en/mod/core.html#location
Related
Looking for some guidance on how I can match a specific file in a wildcard of directories.
Example - the rule needs to apply to:
/path/to/folder1/directory/index.php
/path/to/folder2/directory/index.php
/path/to/folder3/directory/index.php
Here is an example of the configuration made. The idea is to ensure that they are prompted for a username/password if this file is accessed:
<FilesMatch "/path/to/*/directory/index.php">
AuthName "Login"
AuthType Basic
AuthUserFile /path/to/.htpasswd
require valid-user
However, that doesn't seem to be working.
EDIT
After the first answer response, I changed the code. The primary purpose of this is to ensure that if anyone accesses the administrator/index.php file, they are asked for username and password via mod_security. Any other index.php files recursive to the administrator directory should not be prompted:
<Directory "/location/to/.*/administrator">
<Files "index.php">
AuthName "Login"
AuthType Basic
AuthUserFile /path/to/.htpasswd
require valid-user
</Files>
</Directory>
Does that do the trick?
Like the <Files> directive, the <FilesMatch> directive operates only on the basename of the file, not on the complete path, so specifying a path name wont work.
Other then that, FilesMatch uses regular expressions by default (<FilesMatch "expression"> is basically the same as <Files ~ "expression">), so "path/*" would actually match path followed by an arbitrary number of slashes, what you ment would be "path/.*" - but like I said, paths don't work with FilesMatch and Files.
But the directives already apply to all subdirectories, so if you put a .htaccess file in the common base directory, it will apply to all subdirectories (unless it's overridden later):
<Files "index.php">
...
</Files>
I'm trying to lock down a tree of directories (but allow through image files) using the following .htaccess rule
AuthType Basic
AuthName "Test Sites. *Please Contact xxxxxxx for access.*"
AuthUserFile /home/www/testsites/.htpasswd
Require valid-user
<FilesMatch "\.(gif|jpe?g|png)$">
Satisfy Any
Allow from all
</FilesMatch>
However, when I try it, I'm still being asked to authenticate against images if the image is not directly within the httpdocs directory.
In other words
http://www.testsites.com/test.jpg would be allowed through, but
http://www.testsites.com/sitename/images/test.jpg is asking for authentication.
Any idea why this might be happening?
Try this alternative approach based on mod_setenvif:
SetEnvIfNoCase Request_URI "\.(gif|jpe?g|png)$" ALLOWED
AuthType Basic
AuthName "Test Sites. *Please Contact xxxxxxx for access.*"
AuthUserFile /home/www/testsites/.htpasswd
Require valid-user
Satisfy any
Order deny,allow
Deny from all
Allow from env=ALLOWED
Not exactly sure why this is happening, as the <Files> and <FilesMatch> is supposed to get applied to all the subdirectories. You could try using SetEnvIf instead to match against the entire URI instead of relying on the apache core to first map the URL to a file:
SetEnvIf Request_URI \.(gif|jpe?g|png)$ no_auth=true
AuthType Basic
AuthName "Test Sites. *Please Contact xxxxxxx for access.*"
AuthUserFile /home/www/testsites/.htpasswd
Require valid-user
Satisfy Any
Deny from All
Allow from env=no_auth
Is it possible with Apache to enable Indexes for a directory and be able to view every file, but at the same time, password protect only certain file types. When I use <FilesMatch "\.(type1|type2)"> they become hidden from the directory listing, but do become password protected. I just need them to be available in the directory listing because... reasons.
Here's what I got that does half the job.
<FilesMatch "\.(dat|mca|mcr)$">
AuthName "Protected Files"
AuthType Basic
AuthUserFile /home/web/maps/.htpasswd
require valid-user
</Files>
<Directory /home/web>
Options +Indexes
</Directory>
IndexOptions +showForbidden will allow autoindex listings for things that may eventually require authentication (or are forbidden for any other reason!)
Consider installing your own indexer; typically this is just a PHP script in the directory itself (index.php) that dynamically retrieves the directory listing. Just like Apache's mod_autoindex would, but potentially with nicer looks.
DIY:
listing files in folder showing index.php
Off-the-shelve:
http://autoindex.sourceforge.net/
http://pdirl.newroots.de/
http://www.evoluted.net/thinktank/web-development/php-directory-listing-script
I have a internal website which has a .htaccess login except for the office IP. Which IP is white listed. Now I need a cronjob to get a file but I don't want normal users to access that file directly. An overview:
- public_html/
- index.php
- files.php
- all_folders/
- cronjob_only/dump.sql
So all users can access all, except cronjob_only/dump.sql. If they are inside the office they don't require a login. Outside they need to login.
The cronjob_only/dump.sql always requires a login and a the valid user cron_user
I did get it working without the ip whitelisting. My .htaccess file:
Order deny,allow
Deny from all
AuthType Basic
AuthUserFile /home/admin/domains/website.com/.htpasswd-file
AuthName "U shall not pass"
Allow from 94.215.167.79 #office IP
require valid-user
Satisfy Any
<FilesMatch "dump.sql">
Require user cron_user
</FilesMatch>
The above allows people inside the ip to access the dump.sql
If I turn off the Allow from.. the login split works.
What am I missing? I tried a lot. Most of it found here on stackoverflow.
Can anybody help?
Try this:
<FilesMatch "dump.sql">
Order allow,deny
Require user cron_user
Satisfy Any
</FilesMatch>
Please note that I'm not sure of this answer.
with .htaccess i created auth limitation on some directories, and i want to allow access to only one of their subdirectory. can you help me how to achieve that?
tnx in adv!
UPDATED: my current .htaccess contains next:
AuthUserFile /var/www/mysite/httpdocs/passwds/.htpasswd
AuthGroupFile /dev/null
AuthName "In development..."
AuthType Basic
<Limit GET POST>
require valid-user
</Limit>
If you put .htaccess in one directory, that specific directory and all its children, receive same policy. That means, if you put in any children directory another .htaccess file, it can modify any previously defined policy, same as its parent .htaccess.
Add "Satisfy Any" to the child .htaccess
Order allow,deny
Allow from all
Satisfy any
See apache "Satisfy" docs, it SHOULD work, as this is only solution.