How control access to specific folder using .htaccess? - apache

I am using a .htaccess file in Apache for controlling access to a folder. I would like to allow access to a specific folder. How can I do it?
AuthName "Admin page protected"
AuthType Basic
AuthUserFile "/var/www/demo/.htpasswd"
require user admin

You can use:
SetEnvIfNoCase Request_URI ^/folder/ NO_AUTH
AuthName "Admin page protected"
AuthType Basic
AuthUserFile "/var/www/demo/.htpasswd"
require user admin
Satisfy any
Order deny,allow
Deny from all
Allow from env=NO_AUTH
Alternative solution:
Create a file called version/.htaccess and place these lines:
Satisfy Any
Allow from all

Related

In htaccess, how to apply FilesMatch only to files in website root

In order to avoid access for specific files that are still under construction, I wrote these lines in the website root .htaccess. This worked perfectly:
<FilesMatch "login.php|reset.php|raport.php">
AuthUserFile /home/myaccount/public_html/.htpasswd
AuthType Basic
AuthName "Restricted area"
Require valid-user
</FilesMatch>
Afterwards, I installed phpBB under /forum. When I try to access its login page... I must authenticate first.
My big question is how to modify the FilesMatch condition in order to apply it for login.php in the website root, but not for login.php in other folders.
Thank you in advance!
You could use SetEnvIf against the URI only form root like this :
SetEnvIf Request_URI "^/?(login|reset|raport)\.php" PASS
AuthUserFile /home/myaccount/public_html/.htpasswd
AuthType Basic
AuthName "Restricted area"
Order Deny,Allow
Deny from all
Satisfy any
Require valid-user
Allow from env=!PASS
So , form here SetEnvIf Request_URI "^/?(login|reset|raport)\.php you make sure that the URI is starting with login|reset|raport only and not sub-directory .

htaccess restrict authentification but exception on file

I've seen a few other relative posts but didn't find any solution.
I need to restrict a folder with authentification, it works.
But in this folder I need to keep one file access opened to everybody, I used this but it doesn't works :
AuthName "Admins Only"
AuthUserFile /home/dd/.htpasswd
AuthGroupFile /dev/null
AuthType basic
require user AuthorizedUser
Options -Indexes
<Files "admin-ajax.php">
Allow from all
Satisfy all
</Files>
Sorry for my bad english and thanks for help !
use SetEnv and Order directive :
#set variable if uri is "/admin-ajax.php"
SetEnvIf Request_URI ^/folder/admin-ajax\.php noauth=1
#auth
AuthName "Admins Only"
AuthUserFile /home/dd/.htpasswd
AuthGroupFile /dev/null
AuthType basic
require user AuthorizedUser
#Here is where we allow/deny
Order Deny,Allow
Satisfy any
Deny from all
Require user AuthorizedUser
Allow from env=noauth
This will let you access your admin-ajax.php without login to server.

Remove .htpasswd protection from a subfolder

I have protected my root folder using .htpasswd
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /home/a1199104/public_html/.htpasswd
Require user lamak
The above code deny access to my whole site/folder/subfolder, I have a subfolder public It has some public files .I want anyone to access this folder and files without password protection, is this possible.?
You can use SetEnv and Order directive to remove password protection :
Try :
#set env variable noauth if uri is "/public/files"
SetEnvIf Request_URI ^/public/ noauth=1
#auth
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /home/a1199104/public_html/.htpasswd
Require user lamak
#Here is where we allow/deny
Order Deny,Allow
Satisfy any
Deny from all
Require user lamak
Allow from env=noauth
Create a file called public/.htaccess and place this code:
Order allow,deny
allow from all
Satisfy any

Apache protect and Rewrite

I have a url www.mywebsite.com/admin and I want to password protect it using this
AuthType Basic
AuthName "Restricted Files"
# (Following line optional)
AuthBasicProvider file
AuthUserFile /usr/local/apache/passwd/passwords
Require user SomeUsername
However, the site is using a custom framework so /admin gets passed through index.php, so there isn't actually an admin folder so I can't put it in a .htaccess file in it. How can I protect that url using the above code?
You can combine mod_setenvif with mod_auth like this:
SetEnvIfNoCase Request_URI /admin SECURED
AuthType Basic
AuthName "Restricted Files"
AuthBasicProvider file
AuthUserFile /usr/local/apache/passwd/passwords
Require user SomeUsername
Order allow,deny
Allow from all
Deny from env=SECURED
Satisfy any

htaccess password protect files with different users

I have a files server and I use mod_autoindex to server the files. I have a username and password in htaccess so only certain people can access the files. I have added another user to htpasswd but I would only like that user to access some of the files/folders.
Here is my htaccess file now:
AuthType Basic
AuthName "restricted"
AuthUserFile E:\\path\\to\\.htpasswd
<Files "filesForAnyUser\\*">
Require valid-user
</Files>
<Files "*">
Require user admin
</Files>
I'm sure I am doing something wrong but I can't find any good documentation on this.
If you have a folder called "filesForAnyUser" and a folder where you have files only for admin, you need to make 2 htaccess files. One in "filesForAnyUser":
AuthType Basic
AuthName "restricted"
AuthUserFile E:\\path\\to\\.htpasswd
Require valid-user
And one in the other directory:
AuthType Basic
AuthName "restricted"
AuthUserFile E:\\path\\to\\.htpasswd
Require user admin
So here is my final solution for anyone else.
Put the following in the root folder:
AuthType Basic
AuthName "restricted"
AuthUserFile E:\\path\\to\\.htpasswd
Require user admin
Put the following in any folder where admin and user1 can access the file:
AuthType Basic
AuthName "restricted"
AuthUserFile E:\\path\\to\\.htpasswd
Require user admin user1 #users separated by space or "Require valid-user" if all users
If you want to allow user1 to only access certain files you can use <FilesMatch>:
AuthType Basic
AuthName "restricted"
AuthUserFile E:\\path\\to\\.htpasswd
Require user admin
<FilesMatch "^(doc1.pdf|doc2.txt|doc3.docx)$">
Require user admin user1 #or valid-user
</FilesMatch>
This gives admin access to all files in that folder but user1 only access to the files listed in <FilesMatch>
Note: The files in <FilesMatch> are for the current directory and any sub directory. I'm not sure how to limit it to only the current directory.