I run a testsystem with a htaccess basic auth:
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /var/www/html/.htpasswd
Require valid-user
I now want to disable this auth for all user who target the /api and /api/orders etc. of this server. I tried it with this:
SetEnvIf Request_URI "/api(.*)$" api_uri
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /var/www/html/.htpasswd
Require valid-user
Deny from all
Allow from env=api_uri
Satisfy any
But this does not work - mod_setenvif is enabled. Does anybody have an idea why this is not working?
Thanks!
Have it this way:
SetEnvIf Request_URI /api api_uri
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /var/www/html/.htpasswd
Require valid-user
Satisfy any
Order deny,allow
Deny from all
Allow from env=api_uri
I normally just add a separate .htaccess file inside the api folder:
Satisfy any
Related
I have a url www.mywebsite.com/admin and I want to password protect it using this
AuthType Basic
AuthName "Restricted Files"
# (Following line optional)
AuthBasicProvider file
AuthUserFile /usr/local/apache/passwd/passwords
Require user SomeUsername
However, the site is using a custom framework so /admin gets passed through index.php, so there isn't actually an admin folder so I can't put it in a .htaccess file in it. How can I protect that url using the above code?
You can combine mod_setenvif with mod_auth like this:
SetEnvIfNoCase Request_URI /admin SECURED
AuthType Basic
AuthName "Restricted Files"
AuthBasicProvider file
AuthUserFile /usr/local/apache/passwd/passwords
Require user SomeUsername
Order allow,deny
Allow from all
Deny from env=SECURED
Satisfy any
I've 2 domains e.g. foo.com and bar.com which share the same document root.
The sites are protected by a .htaccess file
AuthUserFile ../.htpasswd
AuthName "No Access"
AuthType Basic
<Limit GET POST PUT>
require valid-user
</Limit>
how can I set the AuthUserFile depending on the host?
pseudocode:
if (host == foo.com) {
AuthUserFile ../.htpasswd_foo
} else {
AuthUserFile ../.htpasswd_bar
}
AuthName "No Access"
AuthType Basic
<Limit GET POST PUT>
require valid-user
</Limit>
If this is not possible are there any other ways to get different logins for the 2 domains?
Try setting it up like this:
#site1.com
setenvIfNoCase Host site1\.com pass_1
AuthType Basic
AuthName "Site1.com Login Required"
AuthUserFile "/home/userdir/.htpasswds/site1.pwd"
Require valid-user
Order allow,deny
Allow from all
Deny from env=pass_1
Satisfy any
#site2.com
setenvIfNoCase Host site2\.com pass_2
AuthType Basic
AuthName "Site2.com Login Required"
AuthUserFile "/home/user_dir/.htpasswds/site2.pwd"
Require valid-user
Order allow,deny
Allow from all
Deny from env=pass_2
Satisfy any
i have a htacces protection for my current project:
<filesMatch "\.(htm|html|php)$">
AuthGroupFile /dev/null
AuthName "secured"
AuthType Basic
AuthUserFile /var/www/html/web/.htpasswd
require valid-user
</filesMatch>
The protcetion is working but my static files cames from aws cloudfront and some files are asking for the htaccess credentials too. What can i do to stop this?
Thank you very much.
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /var/www/html/web/.htpasswd
AuthGroupFile /dev/null
Require valid-user
SetEnvIf Host cloudfront.net allow
SetEnvIf Request_URI "(status.php)$" allow
SetEnvIf Request_URI "(appredirect.html)$" allow
Order allow,deny
Allow from env=allow
Satisfy
This is the current setting but to allow the host cloudfront.net is not helping.
What is the htaccess lines/config I would require to ensure that all parts of my site (files & URLs) are protected by authentication, EXCEPT for a given limited set of URLs. For example all except "/api/.*" if this makes sense.
The actually authentication could be like the below, but it's how I wrap this in the directives...
AuthName "Dialog prompt" AuthType
Basic AuthUserFile
/home/site/.htpasswd Require
valid-user
thanks
this seems to work:
AuthUserFile /home/.htpasswd
AuthName "Password Protected"
authtype Basic
Order Deny,Allow
Satisfy any
SetEnvIf request_uri "/api/" allow_all
Deny from all
Require valid-user
Allow from env=allow_all
You could use SetEnvIf and <IfDefine>:
SetEnvIf Request_URI ^/api/ no_auth_req
# If no_auth_req is NOT defined then require authentication
<IfDefine !no_auth_req>
AuthName "Dialog prompt"
AuthType Basic
AuthUserFile /home/site/.htpasswd
Require valid-user
</IfDefine>
I have a new website I'm working on that the client wants to keep a secret, but at the same time, I want to put an under construction page with some info on it. I would like to have everything except index.html require a user/password--index.html would be available to everyone.
I have the following, but I'm not sure what I need to add:
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /path/to/file/.htpasswd
AuthGroupFile /dev/null
require valid-user
There are too many files and possibly new files to say "for this set of files require a user/password".
I think it has something to do with something similar to:
<Files index.html>
order deny,allow
allow from all
</Files>
But I'm not exactly sure how.
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /path/to/file/.htpasswd
AuthGroupFile /dev/null
<Files "*">
Require valid-user
</Files>
<Files "index.html">
Allow from all
Satisfy any
</Files>
I used empi response almost exactly, but I realized that I'm loading a logo and reset-min.css on the under construction page, so I modified it like the following:
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /home/examplecom/example.com/html/.htpasswd
AuthGroupFile /dev/null
<Files "*">
Require valid-user
</Files>
<FilesMatch "(index\.html|reset-min\.css|logo-temp\.gif)$">
Allow from all
Satisfy any
</FilesMatch>
have you tried reversing the order to first allow, then deny?
For further reading: apache htaccess directive are a good reference.