htaccess passwort protect and allow from ip - apache

I know there are many questions about this topic, but i didn't found any solution that works.
I try to protect my web directory with htaccess password protection, but allow my local ip.
Somehow this doesn't work. On my local ip there is still password protection. If i use "Satisfy any" then the protection doesn't work at all and it is fully accessable.
<Directory "/srv/www/*">
Order Deny,Allow
Deny from all
Allow from 127.0.0.1 192.168.178.0/8
AuthType Basic
AuthName "Authentication Required"
AuthUserFile "/srv/www/.htpasswd"
Require valid-user
#Satisfy any
</Directory>
So if i understand documentation correctly:
Order Deny,Allow
First all Deny-rules are applied, and then the Allow-rules.

Related

How to allow Domain in .htaccess

I am trying to only allow access to my raspberry pi from my website which is hosted from a provider. I found the following in the internet:
order deny,allow
deny from all
allow from 192.168.0.0/24
allow from ..external ip to pi..
allow from hurl.it
When I want for example hurl.it to get access to my pi, the pi blocks anyway. Do I make mistake handling with domains in htaccess?
Thanks for every response.
UPDATE:
order deny,allow
deny from all
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
allow from localhost
allow from 192.168.1
allow from 127.0.0.1
allow from ..external ip to pi..
Satisfy Any
I tried this one for the basic authorization.
I suggest you look at using Apache basic auth instead of this method you are looking at. Basic auth is simple to set up, and then you just access your Pi as:
http://user:password#123.123.123.123/
Replacing 123.123.123.123 with you external IP at home.
Also look at setting up HTTPS so communication is encrypted.
Update
You don't need the allow directives when using basic auth. Just order allow,deny and allow from all. The basic auth will stop anyone who is not authenticated. So just use:
order allow,deny
Allow from all
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user

Allowing anonymous users in Trac (apache/mod_wsgi)

I have trac installed and running great using apache2 and mod_wsgi. However when ever a user tries to access even the front page they are greeted with a login. I've tried several things, but everything I try either disables the authentication all together or won't allow unauthenticated users to view the site. Here's the authentication section of my httpd.conf file:
<Location '/'>
AuthType Basic
AuthName "Trac"
AuthUserFile /home/trac/.htpasswd
Require valid-user
</Location>
I'm almost certain that the solution lies int the require line but I've exhausted my ow creativity. Any thoughts?
EDIT: The answer I selected works great. The link given doesn't have instructions on connecting the password file to the system.
My memory is hazy, but the only solution I found when I had this issue was switching to from Apache authentication to the AccountManagerPlugin.
You can specify when apache should ask about password.
In trac when you select Login it will open site: /trac_folder/login
So defining location for authentication should do the trick.
Check my trac.conf:
WSGIScriptAlias /trac /var/lib/trac/apache/trac.wsgi
## This is required if you plan to use HTTP authorization. Without it the
## user name won't be passed
WSGIPassAuthorization On
<Directory /trac>
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
#AuthType Basic
#AuthName "TracHaselko"
#AuthUserFile /var/lib/trac/authfiles/htpasswd
#Require valid-user
</Directory>
<Location /trac/login>
AuthType Basic
AuthName "TracHaslo"
AuthUserFile /var/lib/trac/authfiles/htpasswd
Require valid-user
</Location>
In you file change:
<Location '/'>
to:
<Location '/login'>

Apache basic authentication except for those Allowed

Problem: I have some files under /var/www/files/ that I want them to be accessed from specific IP addresses WITHOUT requiring user/password. However, I would like that any other IP address SHOULD require login to gain access.
This is in my httpd.conf:
<Directory /var/www/files/>
Order deny,allow
Deny from all
Allow from 192.168
AuthUserFile /etc/apache2/basic.pwd
AuthName "Please enter username and password"
AuthType Basic
Require user valid-user
</Directory>
But, if I understood correctly, this means that any client coming from 192.168.* will have access to that directory BUT will require a valid-user to view its content. And any other IP address will be denied. right?
Thank you in advance.
This is how it's done for Apache 2.4+ (since Satisfy Any is no longer supported).
<Directory /var/www/files/>
AuthType Basic
AuthName "Please enter your username and password"
AuthUserFile /var/www/files/.htpasswd
<RequireAny>
Require ip 22.33.44.55
Require valid-user
</RequireAny>
</Directory>
If you want to require both IP address -and- Login/Password, change <RequireAny> to <RequireAll>
I hope this helps someone - as it took me a while to figure it out.
edit: this may be accepted answer, but old. For new Apache installs, use Brians answer here
Add this: Satisfy Any (which means either of those 2 should be passed).
And the syntax is either:
Require valid-user
Or:
Require user <userid>
If your server is behind a proxy, you can't rely on the Require ip directly. However, you can use the Require env:
<Directory /var/www/files/>
AuthType Basic
AuthName "Please enter your username and password"
AuthUserFile /var/www/files/.htpasswd
SetEnvIF X-Forwarded-For "22.33.44.55" AllowIP
<RequireAny>
Require env AllowIP
Require valid-user
</RequireAny>
</Directory>
The source of the idea
At Apache 2.4+, if you also like to set a fixed username based on the IP block you could use AuthBasicFake directive together with runtime If directive.
This example with grant direct access to 22.33.44.55/32 and 66.77.88.99/32 and sets username demouser, all others must login.
<Location>
AuthType Basic
AuthName "Please enter your username and password"
AuthUserFile /var/www/files/.htpasswd
<If "-R '22.33.44.55/32' || -R '66.77.88.99/32'">
AuthBasicFake demouser
Require all granted
</If>
<Else>
Require valid-user
</Else>
</Location>
SetEnvIF X-Forwarded-For "192.168.135.159" AllowIP
SetEnvIF X-Forwarded-For "192.168.135.135" AllowIP
AuthType Basic
AuthName "admin"
AuthUserFile "/var/www/domain.com/cms/.htpasswd"
<RequireAll>
Require env AllowIP
require valid-user
</RequireAll>
İ also checked many variants. this code üorks with 2.4 version of apache 100%

Apache authentification - letting users from X IP address in WITHOUT required password, others must type password

now my apache configuration looks like this:
<Directory /usr/share/myweb/>
AuthType Basic
AuthName "myweb"
AuthUserFile /etc/apache2/.passwords
Require user mw
</Directory>
It allows everyone to web, but require password.
I would like to let some users (from local IP) to be allowed to see the website without a need of authentification. For others it should stay like it is - require password.
How can I do that?
I supposed I could just do it with Allow from xxx.xx., but it still requires the password.
Thanks for help.
Thanks for answer...this made it:
<Directory /path/to/myweb/>
Order allow,deny
AuthType Basic
AuthName "myweb"
AuthUserFile /etc/apache2/.passwd
Order allow,deny
Require user myweb
Allow from your.ip.add
Satisfy Any
</Directory>myweb.com
I've wondered about this before so I had a look round.
http://www.electrictoolbox.com/apache-password-protect-allow-ip/
it suggests you need to add to your config. I suspect it may be the lack of satisfy any that is tripping the login request, but I haven't tried it.
satisfy any
deny from all
allow from 192.168.1.
So you get
<Directory /usr/share/myweb/>
AuthType Basic
AuthName "myweb"
AuthUserFile /etc/apache2/.passwords
Require user mw
satisfy any
deny from all
allow from 192.168.1.
</Directory>

Allow IP address without authentication

I have set up a site that is currently work in progress. I'm using an external SMS gateway that needs access to a script on my server. However, I have set up a basic username and password authentication for regular users, but the SMS gateway can't get through that.
How can I allow a single IP to pass through the authentication without authenticating itself, and deny all other users that aren't authenticated?
Here's my .htaccess file:
Order allow,deny
Allow from all
AuthType Basic
AuthUserFile /www/.site_htpasswd
AuthName "Protected Area"
require user admin
Just found out, with help from JoseK:
Order deny,allow
Deny from all
AuthType Basic
AuthUserFile /www/.site_htpasswd
AuthName "Protected Area"
require valid-user
Allow from 1.2.3.4
Satisfy Any
UPDATE: As of Apache 2.4, Order, Allow, Deny, and Satisfy directives should not be used anymore. So the new syntax is:
AuthType Basic
AuthUserFile /www/.site_htpasswd
AuthName "Protected Area"
<RequireAny>
Require ip 1.2.3.4
Require valid-user
</RequireAny>
Try changing first 2 lines to
Order deny,allow
Deny from all
Allow from 1.2.3.x
Replace your desired IP in the Allow from