password protect multiple directories via htaccess - apache

I am able to password protect directories via the htaccess file at the root of my site (I have to use one htaccess file in my site root because of my CMS). The issue I'm having is assigning users to each directory I want to protect. I can create multiple users and password protect multiple directories, but any user will work for any protected directory. For example:
example.com/section-one should be private and accessed by user "one".
example.com/section-two should be private and accessed by user "two".
However any user will work on either section and once users log into one they have access to the others without being asked for a password. I know it is an issue with my htaccess file. I tried using but can't seem to figure out the formatting. All the information online shows how to do this for files, but directories just isn't as easy to find help on.
I am using this:
<IfModule mod_authn_file.c>
SetEnvIf Request_URI "^/section-one.*$" private
AuthName "Password Needed"
AuthGroupFile /dev/null
AuthType Basic
AuthUserFile /www/server/.htpasswd
Require user one
Order Deny,Allow
Deny from env=private
Satisfy any
</IfModule>
<IfModule mod_authn_file.c>
SetEnvIf Request_URI "^/section-two.*$" private
AuthName "Password Needed"
AuthGroupFile /dev/null
AuthType Basic
AuthUserFile /www/server/.htpasswd
Require User two
Order Deny,Allow
Deny from env=private
Satisfy any
</IfModule>

.htaccess files are used for applying specific configuration directives to the directories in which they are located. It is not possible to use one .htaccess file to specify different configurations for different directories. You either need to put your access controls in the server/vhost configuration file or use one .htaccess per directory.

Related

How to upload a htaccess file with htpasswd?

I am trying to protect my directory with apache password protection, basically their is a subdirectory named reg in my /var/www folder. now, I have .htaccess in the /var/www/reg folder and the content is
AuthUserFile /var/www/.htpasswd
AuthName "Please Log In"
AuthType Basic
require valid-user
and a .htpasswd file in /var/www folder and the content is
xyz:AFm9t1CfobrkA
but when I try to access the folder typing localhost/reg no pop up box appear asking for username and password. Where am I wrong?
I have .htaccess file like this:
AuthUserFile /data/www/.../http-users
AuthType Basic
AuthName "private"
require user cf
And it works. What you could do:
Detect the possible cause by looking into the error log. In many cases you have access to it even on hosting environments
Make sure AllowOverride AuthConfig is set. You cannot set it in .htaccess, you must do it in the server configuration file. In a hosting environment, you have to ask your hosting provider.
Not very likely, but it could be the dot - try to rename the .htpasswd file to htpasswd
Its definitelly not caused by missing the <directory> container as noted in the discussion

protect only one folder in apache with password

The question is that I want to protect only one folder "admin", I was using this in my .htaccess placed in /home/my_home/public_html
AuthName "message"
AuthType Basic
AuthUserFile /home/my_home/.htpasswd
require valid-user
but this protect all my site whilst I want to protect actually /home/my_home/public_html/admin. IN my error log I see:
/home/myhome/public_html/admin/.htaccess: <Directory not allowed here
You have to put the .htaccess file into your admin folder.
The configuration directives found in a .htaccess file are applied to the directory in which the .htaccess file is found, and to all subdirectories thereof. see Apache documentation

Allow some sub-directories of directiories that have restricted access by .htaccess

with .htaccess i created auth limitation on some directories, and i want to allow access to only one of their subdirectory. can you help me how to achieve that?
tnx in adv!
UPDATED: my current .htaccess contains next:
AuthUserFile /var/www/mysite/httpdocs/passwds/.htpasswd
AuthGroupFile /dev/null
AuthName "In development..."
AuthType Basic
<Limit GET POST>
require valid-user
</Limit>
If you put .htaccess in one directory, that specific directory and all its children, receive same policy. That means, if you put in any children directory another .htaccess file, it can modify any previously defined policy, same as its parent .htaccess.
Add "Satisfy Any" to the child .htaccess
Order allow,deny
Allow from all
Satisfy any
See apache "Satisfy" docs, it SHOULD work, as this is only solution.

Have sub directory not be password protected using Apache's .htaccess

Currently on my server I have a .htaccess file in the root of my web directory -
AuthUserFile /path/to/root/www/.htpasswd
AuthType Basic
AuthName "Economic Complexity Observatory"
Require valid-user`
And this works great properly password protecting my whole site. The only problem is that I have this one sub directory that I DON'T WANT to to be password protected. Is there a way to specify that one specific directory will be free of password protection?
There is a way just using .htaccess. I saw this answer elsewhere
Just create an .htaccess file in the non-password protected subdirectory with the content:
Satisfy any
and that's it.
It worked for me.
If you have access to httpd.conf you can use the following (the "directory" directive cannot be used in .htaccess):
<Directory />
AuthUserFile /path/to/root/www/.htpasswd
AuthType Basic
AuthName "Economic Complexity Observatory"
Require valid-user
</Directory>
<Directory /path/to/unprotected/dir>
Satisfy All
</Directory>
I am not aware of a way to do it with htaccess without putting a separate .htaccess in each directory excluding the directory that should not be protected.

htaccess: only do [some lines of code] for one domain, no others

Say I have a htaccess file shared by "dev.server" and "server.site.com".
The first domain should allow all users to access it unchallenged (it only exists on my local development server).
The second domain I want to authenticate users with Apache (NOT by database).
The code to authenticate users is:
AuthType Basic
AuthName "Server Admin"
AuthUserFile "/path/to/passwd"
require valid-user
What I can't do is make those 4 lines only matter if the domain is "server.site.com". How can I do this?
I searched for something like <IfEnv HTTP_HOST "site.server.com"> but had no luck.
This appears to work, still need to do some testing on it though.
Order Deny,Allow
Deny from all
SetEnvIf Host domain.for.no.auth dev
Allow from env=dev
AuthUserFile .pwd
AuthType Basic
AuthName MySite
Require valid-user
Satisfy Any
As far as I know, this can't be done in a .htaccess file. You'd have to put this into a Directory or VirtualHost section, both of which can't be used in a .htaccess file.
You would have to define it in two separate files, or directly in the server's configuration in the VirtualHost section.