I have a development server and a live server. Both use the same .htaccess but I want the development server to be password protected. When I copy the .htaccess file over to the live, I get a 500 error. Does .htaccess offer some way to only password protect directories using conditionals like IF?
what I'm using:
<Directory "/home/my/path/to/development/site/">
AuthName "Restricted Area 52"
AuthType Basic
AuthUserFile /home/my/path/to/development/site/.htpasswd
AuthGroupFile /dev/null
require valid-user
</Directory>
Could really use some help.
You can't have <Directory> containers inside an htaccess file, but you can conditionally turn on or off HTTP auth based on an environment varaible.
So for example, say your production site is http://production.example.com and your dev site is http://dev.example.com then you can check against the HTTP Host and set an environment variable:
SetEnvIfNoCase Host ^dev\.example\.com$ require_auth=true
Or, if the path is different, say your production site is http://example.com/ and dev site is http://example.com/dev/, then you can check against the requested URI:
SetEnvIfNoCase Request_URI ^/dev/ require_auth=true
There's several other checks you can make that's outlined in the mod_setenvif. Either way, you want to set require_auth=true when it's a request for dev. Then you setup your auth stuff to use Satisfy Any:
# Auth stuff
AuthUserFile /home/my/path/to/development/site/.htpasswd
AuthName "Restricted Area 52"
AuthType Basic
# Setup a deny/allow
Order Deny,Allow
# Deny from everyone
Deny from all
# except if either of these are satisfied
Satisfy any
# 1. a valid authenticated user
Require valid-user
# or 2. the "require_auth" var is NOT set
Allow from env=!require_auth
So if require_auth isn't set, then no auth is required, and your SetenvIf should set it if it's a dev request.
Related
I want to configure universal .htaccess file for my application to protect my testing server. I want to display basic auth for any request that comes from public IP, only if current server is testing.
How to archieve this? I know how to protect domain and exclude some IP:
AuthType Basic
AuthName "Please Log In"
AuthUserFile /some/path/.htpasswd
Require valid-user
Order deny,allow
Deny from all
Allow from 127.0.0.1
Satisfy any
But how I can let this code run only if server is dev/testing? I can't change env variables. I thought about detecting domain (server that I want to protect is on subdomain), and place code from above in some sort of if block, but I don't know how.
You use mod_setenvif to set an env variable based on current host and use it auth later:
SetEnvIfNoCase Host ^sub\.domain\.com$ SECURED
AuthType Basic
AuthName "Please Log In"
AuthUserFile /some/path/.htpasswd
Require valid-user
Order Allow,Deny
Allow from 127.0.0.1
Deny from env=SECURED
Satisfy any
I have 2 virtual hosts under one domain: a.mydomain.com, b.mydomain.com.
And in the global configuration of apache I have the following:
<Directory />
Options FollowSymLinks
AllowOverride None
AuthType Basic
AuthName "Restricted Area"
AuthBasicProvider file
AuthUserFile /etc/httpd/password_http_auth
Require user mydomain_user
</Directory>
This works well for all the virtual hosts to have basic auth protection. However, I need to enter username and password for a.mydomain.com and b.mydomain after I went to mydomain.com and authenticate there.
So my question is: is there a way to do authentication on mydomain.com only and that user do not need to enter username and password again for all the virtual hosts under this domain?
Thanks advance.
Any configuration done in the httpd.conf or apache2.conf is a global configuration and will apply to all of your configured sites.
To only have it apply to one of the sites. Move the auth configurations to the specific virtual host configuration file
<Directory />
# keep these
Options FollowSymLinks
AllowOverride None
# move these to the vhost configuration you want to protect
AuthType Basic
AuthName "Restricted Area"
AuthBasicProvider file
AuthUserFile /etc/httpd/password_http_auth
Require user mydomain_user
</Directory>
This might be useful for someone:
I have a single virtual host with many aliases. It is a multisite set up with a single source code for multiple websites. I needed a basic authentication for some of the hosts but not for others while the virtual host is common for all the hosts/domains.
Here is ow I did it and it works fine (Apache 2.4 / Ubuntu 18LTS):
SetEnvIf Host "secure\.host\.com" SECURED
SetEnvIfNoCase Request_URI "^/secure-dir/" SECURED
AuthType Basic
AuthName "Basic Auth Message"
AuthUserFile /var/www/public-html/.htpasswd
Require valid-user
Satisfy any
Order allow,deny
Allow from all
Deny from env=SECURED
In the above example I also have a secured directory (line 2) which works with regular expression so it will match with any file in that directory.
On line 1 is the secured host name. Please note the backslash before each dot character!
Add as many lines for hosts or directories as you need.
I'm trying to build and test a "m." subdomain for a website I'm working on. "m.domain.com" is simply a cname for "domain.com" and will be used to set a server-side boolean so the mobile version of the site will serve exactly the same pages, just with different css and scripts.
While I'm testing, I want to require a password for all requests made to m.domain.com. I've tried several .htaccess variants on environment variable solutions, and this is what I have right now:
SetEnvIfNoCase Host m\.domain\.com is_mobile
AuthType basic
AuthName "Mobile site"
AuthUserFile ".htpasswd"
Require valid-user
Order allow,deny
Allow from all
Deny from env=is_mobile
Satisfy any
With this code, "domain.com" and "www.domain.com" display normally. "m.domain.com" prompts for a password as expected. However, once it's entered, the server returns a 500 error on any request.
Well, turns out that a little inversion and reordering did the trick.
SetEnvIfNoCase Host ^(www\.)domain\.com$ not_mobile
AuthType basic
AuthName "Mobile site"
AuthUserFile ".htpasswd"
Order deny,allow
Deny from all
Allow from env=not_mobile
Require valid-user
Satisfy any
I'm still curious to know why the other configuration created the 500 error, though, especially since it only occurred for the subdomain I wanted password protected.
My hosting has multiple deployments of my site (dev, stage, production). How can I add HTTP Auth headers in my htaccess file if and only if the enviornment variable that they set is equal to 'dev'? (meaning they set a variable called SITE_ENVIRONMENT that can be dev, stage, or prod depending on which site you're accessing.
PS. I'm familiar with requiring authorization from htaccess in vanilla ways, but I'm totally lost when it comes to evaluating variables or writing a block based on the outcome.
You can use SetEnvIf to pattern match the domain and determine which environment to use.
SetEnvIfNoCase Host ^dev.domain.com$ is_on_dev_site
AuthType Basic
AuthName "Protected Login"
AuthUserFile /path/to/.htpasswd
AuthGroupFile /dev/null
Require valid-user
Deny from env=is_on_dev_site
#allow something like API usage to bypass
SetEnvIf Request_URI "(/api/.(.*))$" allow
Order deny,allow
Allow from env=allow
Satisfy any
Man: http://httpd.apache.org/docs/2.2/mod/mod_setenvif.html
I'm not sure this is possible.
Theoreticaly, you can use:
RewriteCond %{ENV:SITE_ENVIRONMENT} ^dev$
to determine which environment you're in, but I can't think of how to write the RewriteRule to force a basic auth... unless you redirected to another page which handles the basic auth and resets the SITE_ENVIRONMENT variable to "dev-authenticated" or something.
Say I have a htaccess file shared by "dev.server" and "server.site.com".
The first domain should allow all users to access it unchallenged (it only exists on my local development server).
The second domain I want to authenticate users with Apache (NOT by database).
The code to authenticate users is:
AuthType Basic
AuthName "Server Admin"
AuthUserFile "/path/to/passwd"
require valid-user
What I can't do is make those 4 lines only matter if the domain is "server.site.com". How can I do this?
I searched for something like <IfEnv HTTP_HOST "site.server.com"> but had no luck.
This appears to work, still need to do some testing on it though.
Order Deny,Allow
Deny from all
SetEnvIf Host domain.for.no.auth dev
Allow from env=dev
AuthUserFile .pwd
AuthType Basic
AuthName MySite
Require valid-user
Satisfy Any
As far as I know, this can't be done in a .htaccess file. You'd have to put this into a Directory or VirtualHost section, both of which can't be used in a .htaccess file.
You would have to define it in two separate files, or directly in the server's configuration in the VirtualHost section.