I protected a couple of pages via the htaccess and htpasswd. Until now the site functioned well, but the last couple of days, we're experiencing some problems, and i wan't rule out this part of code.
My htaccess:
<Files "leiden.html">
AuthName "Name and Password"
AuthUserFile /var/www/fullpath to/.htpasswd
Require valid-user
AuthType Basic
</Files>
<Files "alkmaar.html">
AuthName "Name and Password"
AuthUserFile /var/www/fullpath to/.htpasswd2
Require valid-user
AuthType Basic
</Files>
<Files "vlaardingen.html">
AuthName "Name and Password"
AuthUserFile /var/www/fullpath to/.htpasswd3
Require valid-user
AuthType Basic
</Files>
ErrorDocument 401 /error401.html
And the corresponding htpasswd's containing the encrypted name and password combination.
.htpasswd
aaa:bbbb
.htpasswd2
ccc:dddd
.htpasswd3
eee:ffff
Is it possible to use multiple htpasswd's in this way or is there a better/cleaner solution to use only one htaccess and only one htpasswd?
For some reason, the site regularly blocks a user's ip-adress as a safety-precaution and i want to rule this security-solution out as cause of the problem.
Thanx in advance.
Melkman
Is it possible to use multiple htpasswd's in this way or is there a better/cleaner solution to use only one htaccess and only one htpasswd?
Something that you could do is keep on htpasswd file, and instead of using Require valid-user, use the require with a specific username:
<Files "leiden.html">
AuthName "Name and Password"
AuthUserFile /var/www/fullpath to/.htpasswd
Require user aaa
AuthType Basic
</Files>
<Files "alkmaar.html">
AuthName "Name and Password"
AuthUserFile /var/www/fullpath to/.htpasswd
Require user bbb
AuthType Basic
</Files>
<Files "vlaardingen.html">
AuthName "Name and Password"
AuthUserFile /var/www/fullpath to/.htpasswd
Require user ccc
AuthType Basic
</Files>
The mod_authz stuff (htpasswd/BASIC auth) isn't what's causing IP addresses to be blocked. Something else must be causing that.
Related
I run a testsystem with a htaccess basic auth:
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /var/www/html/.htpasswd
Require valid-user
I now want to disable this auth for all user who target the /api and /api/orders etc. of this server. I tried it with this:
SetEnvIf Request_URI "/api(.*)$" api_uri
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /var/www/html/.htpasswd
Require valid-user
Deny from all
Allow from env=api_uri
Satisfy any
But this does not work - mod_setenvif is enabled. Does anybody have an idea why this is not working?
Thanks!
Have it this way:
SetEnvIf Request_URI /api api_uri
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /var/www/html/.htpasswd
Require valid-user
Satisfy any
Order deny,allow
Deny from all
Allow from env=api_uri
I normally just add a separate .htaccess file inside the api folder:
Satisfy any
I've 2 domains e.g. foo.com and bar.com which share the same document root.
The sites are protected by a .htaccess file
AuthUserFile ../.htpasswd
AuthName "No Access"
AuthType Basic
<Limit GET POST PUT>
require valid-user
</Limit>
how can I set the AuthUserFile depending on the host?
pseudocode:
if (host == foo.com) {
AuthUserFile ../.htpasswd_foo
} else {
AuthUserFile ../.htpasswd_bar
}
AuthName "No Access"
AuthType Basic
<Limit GET POST PUT>
require valid-user
</Limit>
If this is not possible are there any other ways to get different logins for the 2 domains?
Try setting it up like this:
#site1.com
setenvIfNoCase Host site1\.com pass_1
AuthType Basic
AuthName "Site1.com Login Required"
AuthUserFile "/home/userdir/.htpasswds/site1.pwd"
Require valid-user
Order allow,deny
Allow from all
Deny from env=pass_1
Satisfy any
#site2.com
setenvIfNoCase Host site2\.com pass_2
AuthType Basic
AuthName "Site2.com Login Required"
AuthUserFile "/home/user_dir/.htpasswds/site2.pwd"
Require valid-user
Order allow,deny
Allow from all
Deny from env=pass_2
Satisfy any
The below code is in .htaccess file in /home/cuddle/test/
AuthUserFile "/home/cuddle/.htpasswds/test/passwd"
AuthType Basic
AuthName "Secure Area"
Require valid-user
This works fine, it will prompt for username & password, however when I add another rule to allow internal requests:
Allow from 127.0.0.1
Satisfy Any
It no longer prompts for password for outside users (non localhost) and seems to let all users through, no matter if they validate or what IP they are from. There are no other permissions/allow/deny present within .htaccess
Try this:
AuthUserFile "/home/cuddle/.htpasswds/test/passwd"
AuthType Basic
AuthName "Secure Area"
Require valid-user
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from ::1
Satisfy Any
I just signed up to StackOverflow because I stumbled to same problem, and after trial-and-error, the config above worked for me.
Simpler solution:
AuthUserFile "/home/cuddle/.htpasswds/test/passwd"
AuthType Basic
AuthName "Secure Area"
Require valid-user
Require local
Satisfy Any
What is the htaccess lines/config I would require to ensure that all parts of my site (files & URLs) are protected by authentication, EXCEPT for a given limited set of URLs. For example all except "/api/.*" if this makes sense.
The actually authentication could be like the below, but it's how I wrap this in the directives...
AuthName "Dialog prompt" AuthType
Basic AuthUserFile
/home/site/.htpasswd Require
valid-user
thanks
this seems to work:
AuthUserFile /home/.htpasswd
AuthName "Password Protected"
authtype Basic
Order Deny,Allow
Satisfy any
SetEnvIf request_uri "/api/" allow_all
Deny from all
Require valid-user
Allow from env=allow_all
You could use SetEnvIf and <IfDefine>:
SetEnvIf Request_URI ^/api/ no_auth_req
# If no_auth_req is NOT defined then require authentication
<IfDefine !no_auth_req>
AuthName "Dialog prompt"
AuthType Basic
AuthUserFile /home/site/.htpasswd
Require valid-user
</IfDefine>
I have a new website I'm working on that the client wants to keep a secret, but at the same time, I want to put an under construction page with some info on it. I would like to have everything except index.html require a user/password--index.html would be available to everyone.
I have the following, but I'm not sure what I need to add:
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /path/to/file/.htpasswd
AuthGroupFile /dev/null
require valid-user
There are too many files and possibly new files to say "for this set of files require a user/password".
I think it has something to do with something similar to:
<Files index.html>
order deny,allow
allow from all
</Files>
But I'm not exactly sure how.
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /path/to/file/.htpasswd
AuthGroupFile /dev/null
<Files "*">
Require valid-user
</Files>
<Files "index.html">
Allow from all
Satisfy any
</Files>
I used empi response almost exactly, but I realized that I'm loading a logo and reset-min.css on the under construction page, so I modified it like the following:
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /home/examplecom/example.com/html/.htpasswd
AuthGroupFile /dev/null
<Files "*">
Require valid-user
</Files>
<FilesMatch "(index\.html|reset-min\.css|logo-temp\.gif)$">
Allow from all
Satisfy any
</FilesMatch>
have you tried reversing the order to first allow, then deny?
For further reading: apache htaccess directive are a good reference.