Allow subdirectory Apache 2.4 - apache

I'm struggling with the htaccess system of apache.
My apache directories are set as follow:
www/ (Protected via /var/www/.htaccess)
www/public/ (Supposed to be unprotected via /var/www/public/.htaccess)
However i still can't access the public folder without the need to log in via my AuthType Basic from my www/.htaccess...
www/.htaccess:
AuthType Basic
AuthName "Acces restreint"
AuthUserFile "/var/www/.htpasswd"
Require valid-user
www/public/.htaccess:
AuthType None
Require All Granted
I really am not an expert in Apache so I may have missed the obvious.

Ok, I just figured out that what I was doing works but using H5AI as browser it needed to access the files.
I simply added a rule in the apache2.conf to prevent him being overwritten by the main directory .htaccess and all worked fine.

Related

apache basic auth across multiple virtualhosts

I have a few staging sites as virtual hosts on a server, plus a couple of public-facing virtual host sites. The stating sites are all under a single directory (e.g., /var/www/staging-sites/[site-document-root]).
Up to now I've been configuring HTTP Basic Auth for each virtual host, but it seems like there should be a way to do it once for all of them.
The question "apache global basic auth" indicates that I could place Basic Auth directives in a <Directory /var/www/staging-sites> container in the main apache config file, but doing so doesn't cause the browser to prompt for credentials.
Here's the output of tail -n 7 /etc/apache2/apache2.conf:
<Directory "/var/www/staging-sites/">
AuthType Basic
AuthName "Authentication Required"
AuthBasicProvider file
AuthUserFile /var/www/staging-sites/.htpasswd
Require valid-user
</Directory>
I've verified that /var/www/staging-sites/.htpasswd exists, and that the site foo.mydomain.com uses the Document Root /var/www/staging-sites/foo.
I've restarted apache to ensure the new config gets loaded.
However, when I open http://foo.mydomain.com, the site is displayed without prompting for Basic Auth credentials.
What am I doing wrong?
Solved. The problem was this section in the virtualhost configuration itself:
<Directory /var/www/staging-sites/foo>
Require all granted
</Directory>
Apparently all the virtualhosts were created with an equivalent configuration. As might be expected, Require all granted in the virtualhost config outdoes Require valid-user in the global config.
Removing that line allows the Basic Auth, as configured above, to work properly.
You can also leave Require all granted but add Satisfy all

How to upload a htaccess file with htpasswd?

I am trying to protect my directory with apache password protection, basically their is a subdirectory named reg in my /var/www folder. now, I have .htaccess in the /var/www/reg folder and the content is
AuthUserFile /var/www/.htpasswd
AuthName "Please Log In"
AuthType Basic
require valid-user
and a .htpasswd file in /var/www folder and the content is
xyz:AFm9t1CfobrkA
but when I try to access the folder typing localhost/reg no pop up box appear asking for username and password. Where am I wrong?
I have .htaccess file like this:
AuthUserFile /data/www/.../http-users
AuthType Basic
AuthName "private"
require user cf
And it works. What you could do:
Detect the possible cause by looking into the error log. In many cases you have access to it even on hosting environments
Make sure AllowOverride AuthConfig is set. You cannot set it in .htaccess, you must do it in the server configuration file. In a hosting environment, you have to ask your hosting provider.
Not very likely, but it could be the dot - try to rename the .htpasswd file to htpasswd
Its definitelly not caused by missing the <directory> container as noted in the discussion

protect only one folder in apache with password

The question is that I want to protect only one folder "admin", I was using this in my .htaccess placed in /home/my_home/public_html
AuthName "message"
AuthType Basic
AuthUserFile /home/my_home/.htpasswd
require valid-user
but this protect all my site whilst I want to protect actually /home/my_home/public_html/admin. IN my error log I see:
/home/myhome/public_html/admin/.htaccess: <Directory not allowed here
You have to put the .htaccess file into your admin folder.
The configuration directives found in a .htaccess file are applied to the directory in which the .htaccess file is found, and to all subdirectories thereof. see Apache documentation

Have sub directory not be password protected using Apache's .htaccess

Currently on my server I have a .htaccess file in the root of my web directory -
AuthUserFile /path/to/root/www/.htpasswd
AuthType Basic
AuthName "Economic Complexity Observatory"
Require valid-user`
And this works great properly password protecting my whole site. The only problem is that I have this one sub directory that I DON'T WANT to to be password protected. Is there a way to specify that one specific directory will be free of password protection?
There is a way just using .htaccess. I saw this answer elsewhere
Just create an .htaccess file in the non-password protected subdirectory with the content:
Satisfy any
and that's it.
It worked for me.
If you have access to httpd.conf you can use the following (the "directory" directive cannot be used in .htaccess):
<Directory />
AuthUserFile /path/to/root/www/.htpasswd
AuthType Basic
AuthName "Economic Complexity Observatory"
Require valid-user
</Directory>
<Directory /path/to/unprotected/dir>
Satisfy All
</Directory>
I am not aware of a way to do it with htaccess without putting a separate .htaccess in each directory excluding the directory that should not be protected.

htaccess: only do [some lines of code] for one domain, no others

Say I have a htaccess file shared by "dev.server" and "server.site.com".
The first domain should allow all users to access it unchallenged (it only exists on my local development server).
The second domain I want to authenticate users with Apache (NOT by database).
The code to authenticate users is:
AuthType Basic
AuthName "Server Admin"
AuthUserFile "/path/to/passwd"
require valid-user
What I can't do is make those 4 lines only matter if the domain is "server.site.com". How can I do this?
I searched for something like <IfEnv HTTP_HOST "site.server.com"> but had no luck.
This appears to work, still need to do some testing on it though.
Order Deny,Allow
Deny from all
SetEnvIf Host domain.for.no.auth dev
Allow from env=dev
AuthUserFile .pwd
AuthType Basic
AuthName MySite
Require valid-user
Satisfy Any
As far as I know, this can't be done in a .htaccess file. You'd have to put this into a Directory or VirtualHost section, both of which can't be used in a .htaccess file.
You would have to define it in two separate files, or directly in the server's configuration in the VirtualHost section.