I have the following, but its not working correctly.
I run this server locally, but have now configured for external access. I want it to work such that if you're not within my internal network, you must authenticate.
Authentication works, however cannot get httpd to accept this code so something must be wrong. Just can't figure out which!
Order Deny, Allow
Deny from all
Satisfy Any
Allow from 127.0.0.1
Allow from 192.168
AuthUserFile "C:/Program Files/wamp/htpasswd.txt"
AuthName "Piss off :-)"
AuthType Basic
Require valid-user
Swap the Order:
Order Allow,Deny
Related
I want to configure universal .htaccess file for my application to protect my testing server. I want to display basic auth for any request that comes from public IP, only if current server is testing.
How to archieve this? I know how to protect domain and exclude some IP:
AuthType Basic
AuthName "Please Log In"
AuthUserFile /some/path/.htpasswd
Require valid-user
Order deny,allow
Deny from all
Allow from 127.0.0.1
Satisfy any
But how I can let this code run only if server is dev/testing? I can't change env variables. I thought about detecting domain (server that I want to protect is on subdomain), and place code from above in some sort of if block, but I don't know how.
You use mod_setenvif to set an env variable based on current host and use it auth later:
SetEnvIfNoCase Host ^sub\.domain\.com$ SECURED
AuthType Basic
AuthName "Please Log In"
AuthUserFile /some/path/.htpasswd
Require valid-user
Order Allow,Deny
Allow from 127.0.0.1
Deny from env=SECURED
Satisfy any
I am trying to only allow access to my raspberry pi from my website which is hosted from a provider. I found the following in the internet:
order deny,allow
deny from all
allow from 192.168.0.0/24
allow from ..external ip to pi..
allow from hurl.it
When I want for example hurl.it to get access to my pi, the pi blocks anyway. Do I make mistake handling with domains in htaccess?
Thanks for every response.
UPDATE:
order deny,allow
deny from all
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
allow from localhost
allow from 192.168.1
allow from 127.0.0.1
allow from ..external ip to pi..
Satisfy Any
I tried this one for the basic authorization.
I suggest you look at using Apache basic auth instead of this method you are looking at. Basic auth is simple to set up, and then you just access your Pi as:
http://user:password#123.123.123.123/
Replacing 123.123.123.123 with you external IP at home.
Also look at setting up HTTPS so communication is encrypted.
Update
You don't need the allow directives when using basic auth. Just order allow,deny and allow from all. The basic auth will stop anyone who is not authenticated. So just use:
order allow,deny
Allow from all
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
I have a question to a complex apache configuration (apache 2.2). Is the following possible, and if yes, how:
From some IPs access to particular files should be allowed without authentication.
From other IPs access to the same files should be allowed with authentication only.
From all other IPs access should not be allowed.
I've tried with
general:
Order deny,allow
deny from all
Then two blocks for the specified directory:
<Location /testverzeichnis/index.html>
AuthType Basic
AuthName "blabla"
Deny from all
Allow from <IP1>
AuthUserFile /srv/www/apache/.htpasswd
Require user scht
</Location>
This does work! I got a window for user/password, and on the second machine access is not allowed.
Then I tried to get access without password from the second machine:
<Location /testverzeichnis/index.html>
Deny from all
Allow from <IP2>
</Location>
But then I got the authentication box on the second machine!
Is this possible at all?
Thank you in advance!
Regards
Burkhard
"Satisfy any" in a single configuration section.
I'm trying to migrate from Apache 2.2 over to 2.4. One problem I'm having is getting one of my .htaccess files working as it does in 2.2. Essentially what I'm trying to do is allow all of my servers to get to the website without a password, and then require a simple password when someone not from my network, or on one of our desktops trys to get to it. The statements below are from 2.2 and work as intended. The deny statement is a subset of IP's inside the allowed from group.
AuthType Basic
AuthName "Dev password"
AuthUserFile /path/.htpass
Require user devuser
order allow,deny
allow from xxx.xxx.xx.x/24 xxx.xxx.xx.x/16 xxx.xxx.xxx.x/24
deny from xxx.xxx.xxx.xxx/25
Satisfy any
This however is how I thought I would do the same thing in 2.4 but I cannot get it to work:
RequireAny
RequireAll
RequireAny
Require ip 10.0
Require ip 192.168.0
/RequireAny
RequireNone
Require ip 10.0.10
Require ip 192.168.0.128/25
/RequireNone
/RequireAll
AuthType Basic
AuthName "Dev password"
AuthUserFile /path/.htpass
Require user dev
/RequireAny
Can someone tell me what I'm doing wrong? It's not requesting authenticate from my desktops.
Sorry it's not showing my tags for requireall and requireany. so I don't have them tagged.
You seem to be doing it right. Crank-up the LogLevel for authz:
LogLevel authz_core:trace3
and see, what gets logged for each hit. It may be something as silly as a typo in the IP-range specification, for example.
I'm trying to build and test a "m." subdomain for a website I'm working on. "m.domain.com" is simply a cname for "domain.com" and will be used to set a server-side boolean so the mobile version of the site will serve exactly the same pages, just with different css and scripts.
While I'm testing, I want to require a password for all requests made to m.domain.com. I've tried several .htaccess variants on environment variable solutions, and this is what I have right now:
SetEnvIfNoCase Host m\.domain\.com is_mobile
AuthType basic
AuthName "Mobile site"
AuthUserFile ".htpasswd"
Require valid-user
Order allow,deny
Allow from all
Deny from env=is_mobile
Satisfy any
With this code, "domain.com" and "www.domain.com" display normally. "m.domain.com" prompts for a password as expected. However, once it's entered, the server returns a 500 error on any request.
Well, turns out that a little inversion and reordering did the trick.
SetEnvIfNoCase Host ^(www\.)domain\.com$ not_mobile
AuthType basic
AuthName "Mobile site"
AuthUserFile ".htpasswd"
Order deny,allow
Deny from all
Allow from env=not_mobile
Require valid-user
Satisfy any
I'm still curious to know why the other configuration created the 500 error, though, especially since it only occurred for the subdomain I wanted password protected.