Getting FilesMatch and Satisfy Any to work with sub directories - apache

I'm trying to lock down a tree of directories (but allow through image files) using the following .htaccess rule
AuthType Basic
AuthName "Test Sites. *Please Contact xxxxxxx for access.*"
AuthUserFile /home/www/testsites/.htpasswd
Require valid-user
<FilesMatch "\.(gif|jpe?g|png)$">
Satisfy Any
Allow from all
</FilesMatch>
However, when I try it, I'm still being asked to authenticate against images if the image is not directly within the httpdocs directory.
In other words
http://www.testsites.com/test.jpg would be allowed through, but
http://www.testsites.com/sitename/images/test.jpg is asking for authentication.
Any idea why this might be happening?

Try this alternative approach based on mod_setenvif:
SetEnvIfNoCase Request_URI "\.(gif|jpe?g|png)$" ALLOWED
AuthType Basic
AuthName "Test Sites. *Please Contact xxxxxxx for access.*"
AuthUserFile /home/www/testsites/.htpasswd
Require valid-user
Satisfy any
Order deny,allow
Deny from all
Allow from env=ALLOWED

Not exactly sure why this is happening, as the <Files> and <FilesMatch> is supposed to get applied to all the subdirectories. You could try using SetEnvIf instead to match against the entire URI instead of relying on the apache core to first map the URL to a file:
SetEnvIf Request_URI \.(gif|jpe?g|png)$ no_auth=true
AuthType Basic
AuthName "Test Sites. *Please Contact xxxxxxx for access.*"
AuthUserFile /home/www/testsites/.htpasswd
Require valid-user
Satisfy Any
Deny from All
Allow from env=no_auth

Related

Permitting access to a dynamically generated folder/file with .htaccess

I have a site (running on a framework, so folders are virtual) with access blocked via .htaccess/.htpasswd, but I want to permit public access to one folder/file. I've tried all of the solutions suggested elsewhere but so far nothing has worked.
Here's the basic .htaccess contents:
AuthUserFile /var/www/vhosts/mysite.com/.htpasswd
AuthName "MySite Restricted Area"
AuthType Basic
Require valid-user
I want to allow access to the URL /api/user/create. I have tried the following variations, all to no effect:
<Files "create">
Allow from all
</Files>
<FilesMatch create$>
Allow from all
</FilesMatch>
SetEnvIf Request_URI "create" allow
Deny from all
Allow from env=allow
It seems like the filename create isn't recognised as a valid file, but I have no idea why the last one doesn't work. :(
The problem is you are using virtual folders. <Files *> only takes effect for files on the disk. You should use the <Location> directive instead.
https://httpd.apache.org/docs/2.4/en/mod/core.html#location

Password protect a cname subdomain with .htaccess?

I'm trying to build and test a "m." subdomain for a website I'm working on. "m.domain.com" is simply a cname for "domain.com" and will be used to set a server-side boolean so the mobile version of the site will serve exactly the same pages, just with different css and scripts.
While I'm testing, I want to require a password for all requests made to m.domain.com. I've tried several .htaccess variants on environment variable solutions, and this is what I have right now:
SetEnvIfNoCase Host m\.domain\.com is_mobile
AuthType basic
AuthName "Mobile site"
AuthUserFile ".htpasswd"
Require valid-user
Order allow,deny
Allow from all
Deny from env=is_mobile
Satisfy any
With this code, "domain.com" and "www.domain.com" display normally. "m.domain.com" prompts for a password as expected. However, once it's entered, the server returns a 500 error on any request.
Well, turns out that a little inversion and reordering did the trick.
SetEnvIfNoCase Host ^(www\.)domain\.com$ not_mobile
AuthType basic
AuthName "Mobile site"
AuthUserFile ".htpasswd"
Order deny,allow
Deny from all
Allow from env=not_mobile
Require valid-user
Satisfy any
I'm still curious to know why the other configuration created the 500 error, though, especially since it only occurred for the subdomain I wanted password protected.

How to protect part of a cakephp website for a stage deployment?

I have a cakephp project consisting of website URLs and a URL for an API, say:
http://myproject.com/controller1/someaction
http://myproject.com/controller2/someotheraction
http://myproject.com/api/controller1/someapiaction
For production deployment, the websites and API both handle authentication & authorization using cakephp's methods.
I would like to deploy the whole project on a staging server. There, the websites should be HTTP Auth protected, whilst the API should be unprotected (because I don't want to add auth to the API consumers). I do not want to change the project's sources or configuration and instead solve it via Apache configuration.
I tried several vhost configurations, basically following this scheme:
<LocationMatch "/api/.*">
Order allow,deny
Allow from all
Satisfy any
</LocationMatch>
<Location />
Order allow,deny
Allow from all
AllowOverride all
AuthType Basic
AuthName "myproject"
AuthUserFile /path/to/.htpasswd
AuthGroupFile /path/to/.htgroup
Require group mytesters
</Location>
I also tried mixing Location & Directory directives, using Location or LocationMatch for both sections, negated regex for LocationMatch, separate vhosts for both sections, ... - none of this worked: Either the whole site was protected, or nothing.
Am I getting something really wrong, or is it just not possible (due to Apache or the the way cakephp handles rewrites)?
Try the following configuration:
<Directory /path/to/your/htdocs>
AuthType Basic
AuthName "myproject"
AuthUserFile /path/to/.htpasswd
AuthGroupFile /path/to/.htgroup
Require valid-user
AllowOverride AuthConfig
</Directory>
<Location "/api">
Satisfy any
</Location>

Exclude folder from htpasswd

I need to password protect a website with a username/password but need to keep the "/assets" folder accessible as files like images/css are being embedded on other sites.
I have this for the protection:
Order Allow,Deny
AuthType Basic
AuthName "Password"
AuthUserFile /var/www/.htpasswd
Require valid-user
Satisfy Any
How can I specify to protect everything bar the /assets folder?
You'd use, in a .htaccess file in the assets/ directory:
Satisfy Any
Order Allow,Deny
Allow from all
See the examples here: http://httpd.apache.org/docs/2.2/mod/core.html#require

Apache basic authentication except for those Allowed

Problem: I have some files under /var/www/files/ that I want them to be accessed from specific IP addresses WITHOUT requiring user/password. However, I would like that any other IP address SHOULD require login to gain access.
This is in my httpd.conf:
<Directory /var/www/files/>
Order deny,allow
Deny from all
Allow from 192.168
AuthUserFile /etc/apache2/basic.pwd
AuthName "Please enter username and password"
AuthType Basic
Require user valid-user
</Directory>
But, if I understood correctly, this means that any client coming from 192.168.* will have access to that directory BUT will require a valid-user to view its content. And any other IP address will be denied. right?
Thank you in advance.
This is how it's done for Apache 2.4+ (since Satisfy Any is no longer supported).
<Directory /var/www/files/>
AuthType Basic
AuthName "Please enter your username and password"
AuthUserFile /var/www/files/.htpasswd
<RequireAny>
Require ip 22.33.44.55
Require valid-user
</RequireAny>
</Directory>
If you want to require both IP address -and- Login/Password, change <RequireAny> to <RequireAll>
I hope this helps someone - as it took me a while to figure it out.
edit: this may be accepted answer, but old. For new Apache installs, use Brians answer here
Add this: Satisfy Any (which means either of those 2 should be passed).
And the syntax is either:
Require valid-user
Or:
Require user <userid>
If your server is behind a proxy, you can't rely on the Require ip directly. However, you can use the Require env:
<Directory /var/www/files/>
AuthType Basic
AuthName "Please enter your username and password"
AuthUserFile /var/www/files/.htpasswd
SetEnvIF X-Forwarded-For "22.33.44.55" AllowIP
<RequireAny>
Require env AllowIP
Require valid-user
</RequireAny>
</Directory>
The source of the idea
At Apache 2.4+, if you also like to set a fixed username based on the IP block you could use AuthBasicFake directive together with runtime If directive.
This example with grant direct access to 22.33.44.55/32 and 66.77.88.99/32 and sets username demouser, all others must login.
<Location>
AuthType Basic
AuthName "Please enter your username and password"
AuthUserFile /var/www/files/.htpasswd
<If "-R '22.33.44.55/32' || -R '66.77.88.99/32'">
AuthBasicFake demouser
Require all granted
</If>
<Else>
Require valid-user
</Else>
</Location>
SetEnvIF X-Forwarded-For "192.168.135.159" AllowIP
SetEnvIF X-Forwarded-For "192.168.135.135" AllowIP
AuthType Basic
AuthName "admin"
AuthUserFile "/var/www/domain.com/cms/.htpasswd"
<RequireAll>
Require env AllowIP
require valid-user
</RequireAll>
İ also checked many variants. this code üorks with 2.4 version of apache 100%