Password protect a cname subdomain with .htaccess? - apache

I'm trying to build and test a "m." subdomain for a website I'm working on. "m.domain.com" is simply a cname for "domain.com" and will be used to set a server-side boolean so the mobile version of the site will serve exactly the same pages, just with different css and scripts.
While I'm testing, I want to require a password for all requests made to m.domain.com. I've tried several .htaccess variants on environment variable solutions, and this is what I have right now:
SetEnvIfNoCase Host m\.domain\.com is_mobile
AuthType basic
AuthName "Mobile site"
AuthUserFile ".htpasswd"
Require valid-user
Order allow,deny
Allow from all
Deny from env=is_mobile
Satisfy any
With this code, "domain.com" and "www.domain.com" display normally. "m.domain.com" prompts for a password as expected. However, once it's entered, the server returns a 500 error on any request.

Well, turns out that a little inversion and reordering did the trick.
SetEnvIfNoCase Host ^(www\.)domain\.com$ not_mobile
AuthType basic
AuthName "Mobile site"
AuthUserFile ".htpasswd"
Order deny,allow
Deny from all
Allow from env=not_mobile
Require valid-user
Satisfy any
I'm still curious to know why the other configuration created the 500 error, though, especially since it only occurred for the subdomain I wanted password protected.

Related

Apache basic auth with SetEnvIf bug

I have a problem with apache 2.4 .htaccess configuration. My config example:
SetEnvIf Request_URI ^(?i).*/admin(/.*)?$ require_auth=true
AuthType Basic
AuthName "Secure area"
AuthUserFile /xxx/.admin_htpasswd
Order Deny,Allow
Deny from all
Satisfy any
Require valid-user
Allow from env=!require_auth
The idea is to ask a password for requests to urls which contains "/admin" string. So if I go to www.mysite.com/admin the password is required and if I go to www.mysite.com/news the password is not required.
But there is a strange bug! If I start making multiple fast refreshes on url www.mysite.com/news (F5, F5, F5, F5, F5...) the basic auth window pops out and asks the password :( Why it is happening so?
The problem is resolved. mod_evasive after IP address block doesn't show 403 Forbidden but runs basic auth if it is configured in .htaccess file.

Basic Authentication for All Except Listed User Agents in Apache

Is it possible to require Basic Authentication for all but specified User Agents in Apache configuration?
P.S. I know that User Agents can be easily faked, but for my use case such conditional authentication would be enough.
After searching for quite a bit and experimenting, I came up with the answer. One needs these lines in their .htaccess file:
SetEnvIf User-Agent ^VipAgent1 vip_agent
SetEnvIf User-Agent ^VipAgent2 vip_agent
Order Allow,Deny
Allow from env=vip_agent
AuthType Basic
AuthName "Protected Login"
AuthUserFile /path/to/htpasswd
Require valid-user
Satisfy any
In addition, for this to work, one would need to make sure that mod_rewrite, mod_authn_file, and mod_setenvif are enabled in httpd.conf and also this directive is set there:
AllowOverride All
This configuration gives access for requests with User Agent starting "VipAgent1" and "VipAgent2", but asks for the authentication credentials for all other visitors.

.htaccess IF directory exists

I have a development server and a live server. Both use the same .htaccess but I want the development server to be password protected. When I copy the .htaccess file over to the live, I get a 500 error. Does .htaccess offer some way to only password protect directories using conditionals like IF?
what I'm using:
<Directory "/home/my/path/to/development/site/">
AuthName "Restricted Area 52"
AuthType Basic
AuthUserFile /home/my/path/to/development/site/.htpasswd
AuthGroupFile /dev/null
require valid-user
</Directory>
Could really use some help.
You can't have <Directory> containers inside an htaccess file, but you can conditionally turn on or off HTTP auth based on an environment varaible.
So for example, say your production site is http://production.example.com and your dev site is http://dev.example.com then you can check against the HTTP Host and set an environment variable:
SetEnvIfNoCase Host ^dev\.example\.com$ require_auth=true
Or, if the path is different, say your production site is http://example.com/ and dev site is http://example.com/dev/, then you can check against the requested URI:
SetEnvIfNoCase Request_URI ^/dev/ require_auth=true
There's several other checks you can make that's outlined in the mod_setenvif. Either way, you want to set require_auth=true when it's a request for dev. Then you setup your auth stuff to use Satisfy Any:
# Auth stuff
AuthUserFile /home/my/path/to/development/site/.htpasswd
AuthName "Restricted Area 52"
AuthType Basic
# Setup a deny/allow
Order Deny,Allow
# Deny from everyone
Deny from all
# except if either of these are satisfied
Satisfy any
# 1. a valid authenticated user
Require valid-user
# or 2. the "require_auth" var is NOT set
Allow from env=!require_auth
So if require_auth isn't set, then no auth is required, and your SetenvIf should set it if it's a dev request.

Apache basic authentication SSL only

I've been given a setup in which Apache runs on Windows, and we have two folders that need basic authentication with .htpasswd.
First, I tested that the authentication worked:
AuthUserFile E:/path-to/.htpasswd
AuthType Basic
AuthName "Secure area"
Require valid-user
This worked nicely, but of course did not send the credentials over SSL. I tried using a RewriteRule to send any requests without HTTPS over to HTTPS in either of those folders, and this requires the user to login twice - once over HTTP and once over HTTPS.
I found tons of people with this issue, and the solution most folks use is like this:
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "www.domain.com"
AuthUserFile E:/path-to/.htpasswd
AuthName "Secure area"
AuthType basic
require valid-user
ErrorDocument 403 https://www.domain.com/secure-area
So I put this into an htaccess inside each of the two secure folders. This requires the user to login once, over HTTPS, as it should, but of course it does not send them to the file they have requested. Rather, it sends them to the root of the folder.
We often direct users to specific files inside these directories, and I just can't find anything that will authenticate them with basic auth over HTTPS when trying to do this. Is this possible on Apache?
Thanks,
Jonathan
If its for a particular file, you could wrap it in
<files *.php>
</files>
</pre></code>
or whatever, see if that makes a difference, as it'll be authenticating for a requested file rather than the directory that file is in?

htaccess: only do [some lines of code] for one domain, no others

Say I have a htaccess file shared by "dev.server" and "server.site.com".
The first domain should allow all users to access it unchallenged (it only exists on my local development server).
The second domain I want to authenticate users with Apache (NOT by database).
The code to authenticate users is:
AuthType Basic
AuthName "Server Admin"
AuthUserFile "/path/to/passwd"
require valid-user
What I can't do is make those 4 lines only matter if the domain is "server.site.com". How can I do this?
I searched for something like <IfEnv HTTP_HOST "site.server.com"> but had no luck.
This appears to work, still need to do some testing on it though.
Order Deny,Allow
Deny from all
SetEnvIf Host domain.for.no.auth dev
Allow from env=dev
AuthUserFile .pwd
AuthType Basic
AuthName MySite
Require valid-user
Satisfy Any
As far as I know, this can't be done in a .htaccess file. You'd have to put this into a Directory or VirtualHost section, both of which can't be used in a .htaccess file.
You would have to define it in two separate files, or directly in the server's configuration in the VirtualHost section.