htaccess password protect files with different users - apache

I have a files server and I use mod_autoindex to server the files. I have a username and password in htaccess so only certain people can access the files. I have added another user to htpasswd but I would only like that user to access some of the files/folders.
Here is my htaccess file now:
AuthType Basic
AuthName "restricted"
AuthUserFile E:\\path\\to\\.htpasswd
<Files "filesForAnyUser\\*">
Require valid-user
</Files>
<Files "*">
Require user admin
</Files>
I'm sure I am doing something wrong but I can't find any good documentation on this.

If you have a folder called "filesForAnyUser" and a folder where you have files only for admin, you need to make 2 htaccess files. One in "filesForAnyUser":
AuthType Basic
AuthName "restricted"
AuthUserFile E:\\path\\to\\.htpasswd
Require valid-user
And one in the other directory:
AuthType Basic
AuthName "restricted"
AuthUserFile E:\\path\\to\\.htpasswd
Require user admin

So here is my final solution for anyone else.
Put the following in the root folder:
AuthType Basic
AuthName "restricted"
AuthUserFile E:\\path\\to\\.htpasswd
Require user admin
Put the following in any folder where admin and user1 can access the file:
AuthType Basic
AuthName "restricted"
AuthUserFile E:\\path\\to\\.htpasswd
Require user admin user1 #users separated by space or "Require valid-user" if all users
If you want to allow user1 to only access certain files you can use <FilesMatch>:
AuthType Basic
AuthName "restricted"
AuthUserFile E:\\path\\to\\.htpasswd
Require user admin
<FilesMatch "^(doc1.pdf|doc2.txt|doc3.docx)$">
Require user admin user1 #or valid-user
</FilesMatch>
This gives admin access to all files in that folder but user1 only access to the files listed in <FilesMatch>
Note: The files in <FilesMatch> are for the current directory and any sub directory. I'm not sure how to limit it to only the current directory.

Related

Password protect EVERY directory with Apache

Is there a way to password protect every directory requested in Apache? So that regardless what location the request is for, it must be authenticated. Also, can this be done WITHOUT .htaccess, but just in a conf file somewhere?
I found this finally:
<DirectoryMatch ".">
AuthUserFile /path/to/.htpasswd
AuthGroupFile /dev/null
AuthName "Protected Realm"
AuthType Basic
require valid-user
</DirectoryMatch>

Remove .htpasswd protection from a subfolder

I have protected my root folder using .htpasswd
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /home/a1199104/public_html/.htpasswd
Require user lamak
The above code deny access to my whole site/folder/subfolder, I have a subfolder public It has some public files .I want anyone to access this folder and files without password protection, is this possible.?
You can use SetEnv and Order directive to remove password protection :
Try :
#set env variable noauth if uri is "/public/files"
SetEnvIf Request_URI ^/public/ noauth=1
#auth
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /home/a1199104/public_html/.htpasswd
Require user lamak
#Here is where we allow/deny
Order Deny,Allow
Satisfy any
Deny from all
Require user lamak
Allow from env=noauth
Create a file called public/.htaccess and place this code:
Order allow,deny
allow from all
Satisfy any

How control access to specific folder using .htaccess?

I am using a .htaccess file in Apache for controlling access to a folder. I would like to allow access to a specific folder. How can I do it?
AuthName "Admin page protected"
AuthType Basic
AuthUserFile "/var/www/demo/.htpasswd"
require user admin
You can use:
SetEnvIfNoCase Request_URI ^/folder/ NO_AUTH
AuthName "Admin page protected"
AuthType Basic
AuthUserFile "/var/www/demo/.htpasswd"
require user admin
Satisfy any
Order deny,allow
Deny from all
Allow from env=NO_AUTH
Alternative solution:
Create a file called version/.htaccess and place these lines:
Satisfy Any
Allow from all

Apache protect and Rewrite

I have a url www.mywebsite.com/admin and I want to password protect it using this
AuthType Basic
AuthName "Restricted Files"
# (Following line optional)
AuthBasicProvider file
AuthUserFile /usr/local/apache/passwd/passwords
Require user SomeUsername
However, the site is using a custom framework so /admin gets passed through index.php, so there isn't actually an admin folder so I can't put it in a .htaccess file in it. How can I protect that url using the above code?
You can combine mod_setenvif with mod_auth like this:
SetEnvIfNoCase Request_URI /admin SECURED
AuthType Basic
AuthName "Restricted Files"
AuthBasicProvider file
AuthUserFile /usr/local/apache/passwd/passwords
Require user SomeUsername
Order allow,deny
Allow from all
Deny from env=SECURED
Satisfy any

htaccess and multiple htpasswd

I protected a couple of pages via the htaccess and htpasswd. Until now the site functioned well, but the last couple of days, we're experiencing some problems, and i wan't rule out this part of code.
My htaccess:
<Files "leiden.html">
AuthName "Name and Password"
AuthUserFile /var/www/fullpath to/.htpasswd
Require valid-user
AuthType Basic
</Files>
<Files "alkmaar.html">
AuthName "Name and Password"
AuthUserFile /var/www/fullpath to/.htpasswd2
Require valid-user
AuthType Basic
</Files>
<Files "vlaardingen.html">
AuthName "Name and Password"
AuthUserFile /var/www/fullpath to/.htpasswd3
Require valid-user
AuthType Basic
</Files>
ErrorDocument 401 /error401.html
And the corresponding htpasswd's containing the encrypted name and password combination.
.htpasswd
aaa:bbbb
.htpasswd2
ccc:dddd
.htpasswd3
eee:ffff
Is it possible to use multiple htpasswd's in this way or is there a better/cleaner solution to use only one htaccess and only one htpasswd?
For some reason, the site regularly blocks a user's ip-adress as a safety-precaution and i want to rule this security-solution out as cause of the problem.
Thanx in advance.
Melkman
Is it possible to use multiple htpasswd's in this way or is there a better/cleaner solution to use only one htaccess and only one htpasswd?
Something that you could do is keep on htpasswd file, and instead of using Require valid-user, use the require with a specific username:
<Files "leiden.html">
AuthName "Name and Password"
AuthUserFile /var/www/fullpath to/.htpasswd
Require user aaa
AuthType Basic
</Files>
<Files "alkmaar.html">
AuthName "Name and Password"
AuthUserFile /var/www/fullpath to/.htpasswd
Require user bbb
AuthType Basic
</Files>
<Files "vlaardingen.html">
AuthName "Name and Password"
AuthUserFile /var/www/fullpath to/.htpasswd
Require user ccc
AuthType Basic
</Files>
The mod_authz stuff (htpasswd/BASIC auth) isn't what's causing IP addresses to be blocked. Something else must be causing that.