.htaccess require valid-user on Remote server, not local - apache

This is my .htacess file. I'm trying to figure out how to to require a valid user with username/password only on the remote server, not on my local dev environment. Any help is appreciated. Thanks!
AuthType Basic
AuthName "restricted area"
require valid-user
AuthUserFile "/home/username/.htpasswds/public_html/passwd"

For those happening to stumble upon this old question, I use the following .htaccess logic in scenarios where I have one codebase for localhost, production, and a preview/staging environment, and only want to password-protect the latter:
<If "%{HTTP_HOST} == 'preview.example.com'">
AuthName "Preview Example"
AuthType Basic
AuthUserFile /example-path/.htpasswd
Require valid-user
</If>

Related

.htaccess - Disable basic auth for specific path

I run a testsystem with a htaccess basic auth:
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /var/www/html/.htpasswd
Require valid-user
I now want to disable this auth for all user who target the /api and /api/orders etc. of this server. I tried it with this:
SetEnvIf Request_URI "/api(.*)$" api_uri
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /var/www/html/.htpasswd
Require valid-user
Deny from all
Allow from env=api_uri
Satisfy any
But this does not work - mod_setenvif is enabled. Does anybody have an idea why this is not working?
Thanks!
Have it this way:
SetEnvIf Request_URI /api api_uri
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /var/www/html/.htpasswd
Require valid-user
Satisfy any
Order deny,allow
Deny from all
Allow from env=api_uri
I normally just add a separate .htaccess file inside the api folder:
Satisfy any

Password protect EVERY directory with Apache

Is there a way to password protect every directory requested in Apache? So that regardless what location the request is for, it must be authenticated. Also, can this be done WITHOUT .htaccess, but just in a conf file somewhere?
I found this finally:
<DirectoryMatch ".">
AuthUserFile /path/to/.htpasswd
AuthGroupFile /dev/null
AuthName "Protected Realm"
AuthType Basic
require valid-user
</DirectoryMatch>

Apache protect and Rewrite

I have a url www.mywebsite.com/admin and I want to password protect it using this
AuthType Basic
AuthName "Restricted Files"
# (Following line optional)
AuthBasicProvider file
AuthUserFile /usr/local/apache/passwd/passwords
Require user SomeUsername
However, the site is using a custom framework so /admin gets passed through index.php, so there isn't actually an admin folder so I can't put it in a .htaccess file in it. How can I protect that url using the above code?
You can combine mod_setenvif with mod_auth like this:
SetEnvIfNoCase Request_URI /admin SECURED
AuthType Basic
AuthName "Restricted Files"
AuthBasicProvider file
AuthUserFile /usr/local/apache/passwd/passwords
Require user SomeUsername
Order allow,deny
Allow from all
Deny from env=SECURED
Satisfy any

htaccess and multiple htpasswd

I protected a couple of pages via the htaccess and htpasswd. Until now the site functioned well, but the last couple of days, we're experiencing some problems, and i wan't rule out this part of code.
My htaccess:
<Files "leiden.html">
AuthName "Name and Password"
AuthUserFile /var/www/fullpath to/.htpasswd
Require valid-user
AuthType Basic
</Files>
<Files "alkmaar.html">
AuthName "Name and Password"
AuthUserFile /var/www/fullpath to/.htpasswd2
Require valid-user
AuthType Basic
</Files>
<Files "vlaardingen.html">
AuthName "Name and Password"
AuthUserFile /var/www/fullpath to/.htpasswd3
Require valid-user
AuthType Basic
</Files>
ErrorDocument 401 /error401.html
And the corresponding htpasswd's containing the encrypted name and password combination.
.htpasswd
aaa:bbbb
.htpasswd2
ccc:dddd
.htpasswd3
eee:ffff
Is it possible to use multiple htpasswd's in this way or is there a better/cleaner solution to use only one htaccess and only one htpasswd?
For some reason, the site regularly blocks a user's ip-adress as a safety-precaution and i want to rule this security-solution out as cause of the problem.
Thanx in advance.
Melkman
Is it possible to use multiple htpasswd's in this way or is there a better/cleaner solution to use only one htaccess and only one htpasswd?
Something that you could do is keep on htpasswd file, and instead of using Require valid-user, use the require with a specific username:
<Files "leiden.html">
AuthName "Name and Password"
AuthUserFile /var/www/fullpath to/.htpasswd
Require user aaa
AuthType Basic
</Files>
<Files "alkmaar.html">
AuthName "Name and Password"
AuthUserFile /var/www/fullpath to/.htpasswd
Require user bbb
AuthType Basic
</Files>
<Files "vlaardingen.html">
AuthName "Name and Password"
AuthUserFile /var/www/fullpath to/.htpasswd
Require user ccc
AuthType Basic
</Files>
The mod_authz stuff (htpasswd/BASIC auth) isn't what's causing IP addresses to be blocked. Something else must be causing that.

Apache restrict access unless from localhost

The below code is in .htaccess file in /home/cuddle/test/
AuthUserFile "/home/cuddle/.htpasswds/test/passwd"
AuthType Basic
AuthName "Secure Area"
Require valid-user
This works fine, it will prompt for username & password, however when I add another rule to allow internal requests:
Allow from 127.0.0.1
Satisfy Any
It no longer prompts for password for outside users (non localhost) and seems to let all users through, no matter if they validate or what IP they are from. There are no other permissions/allow/deny present within .htaccess
Try this:
AuthUserFile "/home/cuddle/.htpasswds/test/passwd"
AuthType Basic
AuthName "Secure Area"
Require valid-user
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from ::1
Satisfy Any
I just signed up to StackOverflow because I stumbled to same problem, and after trial-and-error, the config above worked for me.
Simpler solution:
AuthUserFile "/home/cuddle/.htpasswds/test/passwd"
AuthType Basic
AuthName "Secure Area"
Require valid-user
Require local
Satisfy Any