RewriteRule / HTTP auth for one url - apache

I want to redirect "?p_id=62" to http authentification but it does not work.
my conf:
<LocationMatch ^/>
RewriteCond %{QUERY_STRING} !^\?p_id=62$
RewriteRule ^ - [E=NO_AUTH:1,L]
Order deny,allow
Deny from all
AuthType basic
AuthName "Auth Needed"
AuthUserFile "/var/www/site/.htpasswd"
Require valid-user
Allow from env=NO_AUTH
Satisfy Any
</LocationMatch>
Can anyone help?

You don't need to match the ? part of the query string:
RewriteCond %{QUERY_STRING} !^p_id=62$
RewriteRule ^ - [E=NO_AUTH:1,L]
However, this is not going to work. The mod_auth modules are applied before mod_rewrite gets applied, so by the time the rewrite rule checks the query string to set the environment variable, mod_auth has already flagged the request as a 401 (needs auth). You might have to settle for a scripted solution, like:
RewriteCond %{QUERY_STRING} !^\?p_id=62$
RewriteRule ^ /auth_script.php [L]
<Files "auth_script.php">
Order deny,allow
Deny from all
AuthType basic
AuthName "Auth Needed"
AuthUserFile "/var/www/site/.htpasswd"
Require valid-user
</Files>
and the auth_script.php will simply load the content at the $_SERVER['REQUEST_URI'] URI and return it to the browser (not redirect).

Related

How to bypass htpasswd auth on a specific route

mi site has apache authorization but I need to allow access to a certain url request. This url request does not represent an existing file or directory.
This is my .htaccess:
First i tried this approach:
AuthName "Required login"
AuthType Basic
AuthUserFile C:\path\to\apache\.htpasswd
Require expr %{REQUEST_URI} =~ ^specialUrl$
Require valid-user
This gives me an internal server error 500
I've tried:
%{REQUEST_URI} == ^specialUrl$
"%{REQUEST_URI} =~ ^specialUrl$"
I'm not sure how the expression is supposed to be evaluated. I guess i have a syntax error.
Second approach:
As i've seen on this other answer I tried setting an env variable
## Grant access to webhook uri
SetEnvIf Request_URI ^/specialUri noauth=1
## Auth config
AuthName "Required login"
AuthType Basic
AuthUserFile C:\path\to\apache\.htpasswd
Require valid-user
## Allow Deny
Order Deny,Allow
Satisfy any
Deny from all
Allow from env=noauth
This resulted on a 401 error Authentication Required when I POST from a http client.
Authentication required!
This server could not verify that you are authorized to access
the URL
"/specialUri".
You either supplied the wrong credentials (e.g., bad password), or your
browser doesn't understand how to supply the credentials required.
In case you are allowed to request the document, please
check your user-id and password and try again.
.htaccess file:
## Grant access to webhook uri
SetEnvIf Request_URI "\specialUri" noauth
## Auth config
AuthName "Required login"
AuthType Basic
AuthUserFile C:\path\to\.htpasswd
## Allow Deny
Order Deny,Allow
Satisfy any
Deny from all
Require valid-user
Allow from env=noauth
<IfModule mod_rewrite.c>
<IfModule mod_negotiation.c>
Options -MultiViews
</IfModule>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/$ /$1 [L,R=301]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
</IfModule>
I don't really understand why but it seemed that there was a redirection on my site. This was fixed adding another allow directive:
AuthType Basic
AuthName "Required login"
AuthUserFile C:\path\to\.htpasswd
Require valid-user
SetEnvIf Request_URI "mySpecialUri$" allow
Order deny,allow
Deny from all
Allow from env=webhook
Allow from env=REDIRECT_noauth
Allow from 127.0.0.1
Satisfy any
Note that SetEnvIf Request_URI "mySpecialUri$" is using the latest part of the uri. This is because the redirection I mentioned was generating a longer uri.
The Allow from env=REDIRECT_noauth fixed the problem

Getting .htaccess to allow access for specified IP, but request .htpasswd user + password if from any other IP

Ive got a site that im trying to set an .htaccess / .htpasswd password restriction on, but at the same time allow any users with a specific IP address access.
So far ive implemented this as below in my .htaccess file, but for some reason this dosnt work, if i visit the site, no matter from which IP address it allows access, if i comment out the line order deny,allow above the Allow from 192.87.22.18 line, the password protection works, but will request an IP from everyone, even if visiting from the 192.87.22.18 IP (note - not my real IP)
(I haven't published my .htpasswd file for obvious reasons, but it is 1 line containing 1 hashed password)
Any ideas ?
<Files ~ "^\.(htaccess|.htpasswd)$">
deny from all
</Files>
DirectoryIndex index.php
RewriteEngine on
RewriteCond %{HTTP_HOST} ^(www\.example\.example\.co\.uk)(:80)? [NC]
RewriteRule ^(.*) http://example.example.co.uk/$1 [R=301,L]
order deny,allow
<Files ~ "^\.(htaccess|.htpasswd)$">
deny from all
</Files>
AuthType Basic
AuthName "Please enter your ID and password"
AuthUserFile /var/www/vhosts/example.co.uk/subdomains/example/httpdocs/.htpasswd
AuthGroupFile /dev/null
require valid-user
order deny,allow
Allow from 192.87.22.18
# satisfy any
RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteRule ^index\.php(/(.*)|$) %{CONTEXT_PREFIX}/$2 [R=301,L]
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule .? - [L]
RewriteCond %{REQUEST_URI}::$1 ^(/.+)(.+)::\2$
RewriteRule ^(.*) - [E=BASE:%1]
RewriteRule .? %{ENV:BASE}index.php [L]
Through trial and error i ended up using the below which works on apache 2.0, taken from here : https://perishablepress.com/htaccess-password-protection-tricks/
In the above article they wrapped the code block in <IfModule mod_auth.c>
which was causing the code not to run (as i guess the if block equated to false on this server) so i removed them.
# password protect excluding specific ip
AuthName "Username and password required"
AuthUserFile /home/path/.htpasswd
AuthType Basic
Require valid-user
Order Deny,Allow
Deny from all
Allow from 111.222.333.444
Satisfy Any
4 you should use:
AuthType Basic
AuthUserFile c:/wamp/www/_test/www/.htpasswd
AuthName "Protected Area"
<RequireAny>
Require ip 127.0.0.1
Require valid-user
</RequireAny>
order, deny, allow are now Deprecated.

How to apply an htaccess rule only on https

So I have a protected folder on a site with an htaccess that forces https and uses basic authentication. The problem is that if I go there using http, it asks for authentication before transferring to https, and then asks for authentication again. Is there a way to make it transfer to https before it prompts me?
Here is the htaccess:
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} folder
RewriteRule ^(.*)$ https://site.net/folder/$1 [R,L]
AuthName "Dialog prompt"
AuthType Basic
AuthUserFile /home/user/site.net/folder/.htpasswd
Require valid-user
Update: I've decided to implement my own auth system to bypass this issue.
This is what you can do to show authentication only once:
Set a cookie while redirecting from http to https
Using SetEnvIfNoCase disable authentication when cookie is set
Code you can use:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^filder https://%{HTTP_HOST}/folder%{REQUEST_URI} [R,L,NC,CO=NO_AUTH:1:%{HTTP_HOST}]
SetEnvIfNoCase COOKIE NO_AUTH=1 OKAY
AuthType Basic
AuthName "Dialog prompt"
AuthUserFile /home/user/site.net/folder/.htpasswd
Require valid-user
Order allow,deny
allow from all
deny from env=OKAY
Satisfy any
If you are on Apache 2.4, you can apparently use the conditional structure within your htaccess:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
<If "%{HTTPS} == 'on'">
AuthType basic
AuthName "Private"
AuthUserFile /path/to/passwordfile
Require valid-user
</If>

using rewrite condition with allow and Satisfy directive

I want to create a rule that allows only the https request to be prompted for user credentials and the http request to be redirected .
SetEnvIfNoCase IS_SSL .*yes.* HTTPS_REQUEST
<Files *>
AuthType Basic
AuthName "MyFirstPage"
AuthBasicProvider file
AuthUserFile /indexing/.pwd
Require valid-user
Order Deny,Allow
Allow from env!=HTTPS_REQUEST
Satisfy All
</Files>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{ENV:IS_HTTPS_REQUEST} off [NC]
RewriteCond %{THE_REQUEST} ^GET [NC]
RewriteRule ^(.*)/Mydata.php https://%{HTTP_HOST}/x1/Mydata.php [R=301,L]
</IfModule>
The above code is prompting for the password for both http and https request . Can you please suggest
Regards
You need to change "All" to "Any"
Satisfy Any
That way if the env!=HTTPS_REQUEST is true, the Require valid-user doesn't need to be satisfied.

apache password protect specific URL

I need to password protect on specific URL, for instance anyone can access index.php but as soon as they add parameters or "GET" variables I must require valid-user.
index.php -> sweet
index.php?prev=1 -> require valid user
Interesting question.
Here's a solution:
<Location /fakeindex.php>
Order Deny,Allow
Deny from All
Allow from env=REDIRECT_STATUS
AuthType Basic
AuthUserFile /pathto/htpasswd/file/passwords.secret
AuthName This is an example auth
Require valid-user
</Location>
<Directory /path/to/doc/root>
Order allow,deny
allow from all
RewriteEngine On
RewriteCond %{QUERY_STRING} .
RewriteCond %{REQUEST_URI} index.php
RewriteRule .* fakeindex.php [L,QSA]
</Directory>
This part:
Order Deny,Allow
Deny from All
Allow from env=REDIRECT_STATUS
is there to prevent a direct access to /fakeindex.php (but in fact who would like to enforce a direct access to a protected zone). It's optionnal.
The key point is that theses condition Rules detect a non empty Query string, and a request to index.php:
RewriteCond %{QUERY_STRING} .
RewriteCond %{REQUEST_URI} index.php
And that if they match the Rule:
RewriteRule .* fakeindex.php [L,QSA]
Redirect internally the request to /fakeindex.php, keeping the query string with QSA. After that the Location is applied, and authentification is on the Location.
You could use the isset() method on the get variable eg:
if (isset($_GET['prev'])) {
//load password input form
}