I'm testing out Amazon Cloudfront in our dev environment, which is protected by .htaccess/.htpasswd. The password protection on the dev server is causing all of the cloudfront.net assets to be password protected as well. And no username/password combination works.
What I need to do is allow cloudfront to access the dev server by poking some holes in the .htaccess protection.
I can get a list of IP addresses here but since they are subject to change, I was wondering if anyone knew of a better way.
I cannot remove the password protection unfortunately.
Here's what I've been using:
SetEnvIf User-Agent ^Amazon Cloudfront$ cdn
SetEnvIf Host ^static.dev.website.com$ cdn # This could also be a cloudfront.net host
AuthType Basic
AuthName "Dev Site"
AuthUserFile /directory/location/.htpasswd
Require valid-user
Order Deny,Allow
Deny from all
Allow from env=cdn
Satisfy Any
Essentially, you need you exclude CloudFront-related requests, which the first two lines handle, in conjunction with the Allow from env=cdn line.
Related
Is it possible to require Basic Authentication for all but specified User Agents in Apache configuration?
P.S. I know that User Agents can be easily faked, but for my use case such conditional authentication would be enough.
After searching for quite a bit and experimenting, I came up with the answer. One needs these lines in their .htaccess file:
SetEnvIf User-Agent ^VipAgent1 vip_agent
SetEnvIf User-Agent ^VipAgent2 vip_agent
Order Allow,Deny
Allow from env=vip_agent
AuthType Basic
AuthName "Protected Login"
AuthUserFile /path/to/htpasswd
Require valid-user
Satisfy any
In addition, for this to work, one would need to make sure that mod_rewrite, mod_authn_file, and mod_setenvif are enabled in httpd.conf and also this directive is set there:
AllowOverride All
This configuration gives access for requests with User Agent starting "VipAgent1" and "VipAgent2", but asks for the authentication credentials for all other visitors.
In htaccess using Apache 2.2.x, is there a way to require a password and a certain IP address, and block outright everyone else?
I've tried all the Allow/Deny/Require/Satisfy combinations I could find or try. Maybe someone here has the answer? I did an extensive search but everyone is looking to allow bypassing a password for certain IP addresses, not demanding an IP and password.
I would suggest setting up your configuration to require just a password first, and once you have that working as intended. Add the correct allow from directive to the htaccess file. For example
Allow from 192.168.0.0
You should not need to add anything else as Satisfy All is the default, but if you are still having problems add this as well.
If you are still having problems show us the htaccess file and check the rest of your config for overriding configuration.
New config based on discussion below:
<Location />
Order allow,deny
AuthType Basic
AuthName "Restricted Files"
AuthBasicProvider file
AuthUserFile /path/to/htpasswd
Require valid-user
Satisfy all
Allow from 127.0.0.1
</Location>
Additional info, doesn't need the <Location> block if in htaccess
I have a question to a complex apache configuration (apache 2.2). Is the following possible, and if yes, how:
From some IPs access to particular files should be allowed without authentication.
From other IPs access to the same files should be allowed with authentication only.
From all other IPs access should not be allowed.
I've tried with
general:
Order deny,allow
deny from all
Then two blocks for the specified directory:
<Location /testverzeichnis/index.html>
AuthType Basic
AuthName "blabla"
Deny from all
Allow from <IP1>
AuthUserFile /srv/www/apache/.htpasswd
Require user scht
</Location>
This does work! I got a window for user/password, and on the second machine access is not allowed.
Then I tried to get access without password from the second machine:
<Location /testverzeichnis/index.html>
Deny from all
Allow from <IP2>
</Location>
But then I got the authentication box on the second machine!
Is this possible at all?
Thank you in advance!
Regards
Burkhard
"Satisfy any" in a single configuration section.
I'm trying to build and test a "m." subdomain for a website I'm working on. "m.domain.com" is simply a cname for "domain.com" and will be used to set a server-side boolean so the mobile version of the site will serve exactly the same pages, just with different css and scripts.
While I'm testing, I want to require a password for all requests made to m.domain.com. I've tried several .htaccess variants on environment variable solutions, and this is what I have right now:
SetEnvIfNoCase Host m\.domain\.com is_mobile
AuthType basic
AuthName "Mobile site"
AuthUserFile ".htpasswd"
Require valid-user
Order allow,deny
Allow from all
Deny from env=is_mobile
Satisfy any
With this code, "domain.com" and "www.domain.com" display normally. "m.domain.com" prompts for a password as expected. However, once it's entered, the server returns a 500 error on any request.
Well, turns out that a little inversion and reordering did the trick.
SetEnvIfNoCase Host ^(www\.)domain\.com$ not_mobile
AuthType basic
AuthName "Mobile site"
AuthUserFile ".htpasswd"
Order deny,allow
Deny from all
Allow from env=not_mobile
Require valid-user
Satisfy any
I'm still curious to know why the other configuration created the 500 error, though, especially since it only occurred for the subdomain I wanted password protected.
My hosting has multiple deployments of my site (dev, stage, production). How can I add HTTP Auth headers in my htaccess file if and only if the enviornment variable that they set is equal to 'dev'? (meaning they set a variable called SITE_ENVIRONMENT that can be dev, stage, or prod depending on which site you're accessing.
PS. I'm familiar with requiring authorization from htaccess in vanilla ways, but I'm totally lost when it comes to evaluating variables or writing a block based on the outcome.
You can use SetEnvIf to pattern match the domain and determine which environment to use.
SetEnvIfNoCase Host ^dev.domain.com$ is_on_dev_site
AuthType Basic
AuthName "Protected Login"
AuthUserFile /path/to/.htpasswd
AuthGroupFile /dev/null
Require valid-user
Deny from env=is_on_dev_site
#allow something like API usage to bypass
SetEnvIf Request_URI "(/api/.(.*))$" allow
Order deny,allow
Allow from env=allow
Satisfy any
Man: http://httpd.apache.org/docs/2.2/mod/mod_setenvif.html
I'm not sure this is possible.
Theoreticaly, you can use:
RewriteCond %{ENV:SITE_ENVIRONMENT} ^dev$
to determine which environment you're in, but I can't think of how to write the RewriteRule to force a basic auth... unless you redirected to another page which handles the basic auth and resets the SITE_ENVIRONMENT variable to "dev-authenticated" or something.