I need to exclude one Url (or even better one prefix) from normal htaccess Basic Auth protection. Something like /callbacks/myBank or /callbacks/.*
Do you have any hints how to do it?
What I'm not looking for is how to exclude a file.
This has to be url (as this is solution based on PHP framework, and all urls are redirected with mod_rewrite to index.php). So there is no file under this URL. Nothing.
Some of those urls are just callbacks from other services (No IP is not known so I cannot exclude based on IP) and they cannot prompt for User / Password.
Current definition is as simple as:
AuthName "Please login."
AuthGroupFile /dev/null
AuthType Basic
AuthUserFile /xxx/.htpasswd
require valid-user
Using SetEnvIf, you can create a variable when the request starts with some path, then use the Satisfy Any directive to avoid having to login.
# set an environtment variable "noauth" if the request starts with "/callbacks/"
SetEnvIf Request_URI ^/callbacks/ noauth=1
# the auth block
AuthName "Please login."
AuthGroupFile /dev/null
AuthType Basic
AuthUserFile /xxx/.htpasswd
# Here is where we allow/deny
Order Deny,Allow
Satisfy any
Deny from all
Require valid-user
Allow from env=noauth
The allow/deny chunk of directives says that deny access for EVERYONE, except when there is a valid-user (successful BASIC auth login) or if the noauth variable is set.
If you are using Apache 2.4, SetEnvIf and mod_rewrite workarounds are no longer necessary since the Require directive is able to interpret expressions directly:
AuthType Basic
AuthName "Please login."
AuthUserFile "/xxx/.htpasswd"
Require expr %{REQUEST_URI} =~ m#^/callbacks/.*#
Require valid-user
Apache 2.4 treats Require directives that are not grouped by <RequireAll> as if they were in a <RequireAny>, which behaves as an "or" statement. Here's a more complicated example that demonstrates matching both the request URI and the query string together, and falling back on requiring a valid user:
AuthType Basic
AuthName "Please login."
AuthUserFile "/xxx/.htpasswd"
<RequireAny>
<RequireAll>
# I'm using the alternate matching form here so I don't have
# to escape the /'s in the URL.
Require expr %{REQUEST_URI} =~ m#^/callbacks/.*#
# You can also match on the query string, which is more
# convenient than SetEnvIf.
#Require expr %{QUERY_STRING} = 'secret_var=42'
</RequireAll>
Require valid-user
</RequireAny>
This example would allow access to /callbacks/foo?secret_var=42 but require a username and password for /callbacks/foo.
Remember that unless you use <RequireAll>, Apache will attempt to match each Require in order so think about which conditions you want to allow first.
The reference for the Require directive is here: https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#require
And the expression reference is here: https://httpd.apache.org/docs/2.4/expr.html
This solution works pretty well, you just need to define whitelist you want to pass through.
SetEnvIfNoCase Request_URI "^/status\.php" noauth
AuthType Basic
AuthName "Identify yourself"
AuthUserFile /path/to/.htpasswd
Require valid-user
Order Deny,Allow
Deny from all
Allow from env=noauth
Satisfy any
I tried the other solutions but this is what worked for me. Hopefully it will be of help to others.
# Auth stuff
AuthName "Authorized personnel only."
AuthType Basic
AuthUserFile /path/to/your/htpasswd/file
SetEnvIf Request_URI "^/index.php/api/*" allow
Order allow,deny
Require valid-user
Allow from env=allow
Deny from env=!allow
Satisfy any
This will allow the api url and any url string after /index.php/api/ to open without having to login and anything else will be prompted to login.
Example:
mywebsite.com/index.php/api will open without being prompted to login
mywebsite.com/index.php/api/soap/?wsdl=1 will open without being prompted to login
mywebsite.com will be prompted to login first
<location />
SetEnvIf Request_URI "/callback/.*" REDIRECT_noauth=1
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/httpd/passwords/passwords
Order Deny,Allow
Satisfy any
Deny from all
Allow from env=REDIRECT_noauth
Require user yournickname
</location>
why don't you just use basic auth the way it was intended?
user:password#domain.com/callbacks/etc
Another approach works like this, if the area you are protecting has a monolithic PHP script controlling everything, like Wordpress. Set up Authentication with in a different directory. Put an index.php there that sets a cookie on path '/'. Then in Wordpress (for example), check the cookie, but bypass the check if $_SERVER['REQUEST_URI'] is the excluded URL.
On my shared hosting platform, RewriteRule could not set an environment variable that worked with "Satisfy any".
With any approach, watch out that the page you are protecting does not include images, stylesheets, etc., that trigger an authentication request when the page itself does not.
Add below code to your root htaccess file and don't forget to change your admin url, .htpasswd file page.
<Files "admin.php">
AuthName "Cron auth"
AuthUserFile E:\wamp\www\mg\.htpasswd
AuthType basic
Require valid-user
</Files>
Create .htpasswd file in your root folder and add below username and password (set default username:admin and password: admin123)
admin:$apr1$8.nTvE4f$UirPOK.PQqqfghwANLY47.
Please let me know if you still facing any issue.
None of this worked for me with Apache 2.4, because my PHP/Laravel htaccess did a rewrite and changed Request_URI to be always /index.php.
I used Require expr %{THE_REQUEST} to get the first line of the HTTP request (THE_REQUEST) which remains unchanged.
e.g., "GET /callbacks HTTP/1.1"
This worked for me:
<Location />
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require expr %{THE_REQUEST} =~ m#^GET /callbacks#
Require valid-user
</Location>
Note you need to change GET to POST if you need to or allow both:
Require expr %{THE_REQUEST} =~ m#^GET /callbacks#
Require expr %{THE_REQUEST} =~ m#^POST /callbacks#
Require valid-user
More about Require expr
Related
In order to avoid access for specific files that are still under construction, I wrote these lines in the website root .htaccess. This worked perfectly:
<FilesMatch "login.php|reset.php|raport.php">
AuthUserFile /home/myaccount/public_html/.htpasswd
AuthType Basic
AuthName "Restricted area"
Require valid-user
</FilesMatch>
Afterwards, I installed phpBB under /forum. When I try to access its login page... I must authenticate first.
My big question is how to modify the FilesMatch condition in order to apply it for login.php in the website root, but not for login.php in other folders.
Thank you in advance!
You could use SetEnvIf against the URI only form root like this :
SetEnvIf Request_URI "^/?(login|reset|raport)\.php" PASS
AuthUserFile /home/myaccount/public_html/.htpasswd
AuthType Basic
AuthName "Restricted area"
Order Deny,Allow
Deny from all
Satisfy any
Require valid-user
Allow from env=!PASS
So , form here SetEnvIf Request_URI "^/?(login|reset|raport)\.php you make sure that the URI is starting with login|reset|raport only and not sub-directory .
Hi i need to protect my app during the testing phase.
I read this post about excluding one url from Basic Auth
But i'd like to exclude 2 urls :
/api/*
/oauth/v2/token
So the entire app will be protected except for those two urls, that will be public. Otherwise i can't access my api routes.
My .htaccess for now is :
# Protect the app with password
AuthUserFile /home/master/public_html/web/.htpasswd
AuthName "Protected"
AuthType Basic
Require valid-user
So i'm guessing i should need some sort or regex in :
SetEnvIf Request_URI ^/api/ noauth=1
How can i have like a OR condition?
Apache 2.4 Auth/Access control has changed since 2.2.
Here is the new syntax:
AuthType Basic
AuthUserFile /home/master/public_html/web/.htpasswd
AuthName "Protected"
SetEnvIf Request_URI ^/(api/|oauth/V2/token) noauth=1
<RequireAny>
Require env noauth
Require env REDIRECT_noauth
Require valid-user
</RequireAny>
Try :
SetEnvIf Request_URI ^/(api/|oauth/V2/token) noauth=1
You can exclude uris, just seperate them using a bar |
You can wrap Require inside another directive, like Directory or Location
<Location /api/>
Require all granted
</Location>
<Location /oauth/v2/token>
Require all granted
</Location>
Not asked, but Getting it working says about .htpasswd
This file should be placed somewhere not accessible from the web. This is so that folks cannot download the password file.
So you shouldn't put .htpasswd inside public_html.
I've seen a few other relative posts but didn't find any solution.
I need to restrict a folder with authentification, it works.
But in this folder I need to keep one file access opened to everybody, I used this but it doesn't works :
AuthName "Admins Only"
AuthUserFile /home/dd/.htpasswd
AuthGroupFile /dev/null
AuthType basic
require user AuthorizedUser
Options -Indexes
<Files "admin-ajax.php">
Allow from all
Satisfy all
</Files>
Sorry for my bad english and thanks for help !
use SetEnv and Order directive :
#set variable if uri is "/admin-ajax.php"
SetEnvIf Request_URI ^/folder/admin-ajax\.php noauth=1
#auth
AuthName "Admins Only"
AuthUserFile /home/dd/.htpasswd
AuthGroupFile /dev/null
AuthType basic
require user AuthorizedUser
#Here is where we allow/deny
Order Deny,Allow
Satisfy any
Deny from all
Require user AuthorizedUser
Allow from env=noauth
This will let you access your admin-ajax.php without login to server.
I'd like to get Basic Authentication for everything except requests from a certain IP Range and URLs that have a URL Path. (In my scenario these always end with .html)
The IP Range works fine, but I can't get requests to go threw that end with .html. For example:
http://subdomain.domain.com/test.html or http://subdomain.domain.com/test/test.html
should be allowed without authentication, while
http://subdomain.domain.com or http://domain.com
should be denied.
This is the Basic Auth block in my .htaccess:
SetEnvIf Request_URI ".html$" auth=1
Order deny,allow
Deny from all
AuthType Basic
AuthUserFile /path/to/.htpasswd
AuthName "Login"
require valid-user
Allow from 123.456.78 env=auth
Satisfy Any
You need 2 different Allow lines:
SetEnvIf Request_URI "\.html$" NO_AUTH
AuthType Basic
AuthUserFile /path/to/.htpasswd
AuthName "Login"
require valid-user
Satisfy Any
Order Deny,Allow
Deny from all
Allow from 123.456.78
Allow from env=NO_AUTH
On my server I have the following .htaccess file:
DirectoryIndex index.php
AuthType Basic
AuthName "Password Required"
AuthUserFile /var/www/webinterface/.htpasswd
Options +FollowSymLinks
Require valid-user
<Files index.php>
Satisfy any
Allow from *
</Files>
If I request the URL "IP-ADDRESS/index.php", everything works fine, I get the index.php displayed without an authentication prompt. However as soon as I request "IP-ADDRESS/" the browser asks me for my credentials.
Why is this the case? What am I missing?
Try replacing the block to use mod_setenvif to check the request URI instead of using <Files>. The mod_auth* modules has precedence over mod_dir so the mapping from / to /index.php doesn't happen until after the auth takes place. Mod_setenvif will occur before the auth. Try:
SetEnvIf Request_URI "^/$" allow=yes
SetEnvIf Request_URI "^/index.php$" allow=yes
AuthType Basic
AuthName "Password Required"
AuthUserFile /var/www/webinterface/.htpasswd
Options +FollowSymLinks
Order Deny,Allow
Satisfy any
Deny from All
Require valid-user
Allow from env=allow
If the requested URI is exactly / or /index.php, the variable allow gets set. The stuff after the Auth lines say to deny everything except a valid user or if the variable allow has been set.