I have set up a site that is currently work in progress. I'm using an external SMS gateway that needs access to a script on my server. However, I have set up a basic username and password authentication for regular users, but the SMS gateway can't get through that.
How can I allow a single IP to pass through the authentication without authenticating itself, and deny all other users that aren't authenticated?
Here's my .htaccess file:
Order allow,deny
Allow from all
AuthType Basic
AuthUserFile /www/.site_htpasswd
AuthName "Protected Area"
require user admin
Just found out, with help from JoseK:
Order deny,allow
Deny from all
AuthType Basic
AuthUserFile /www/.site_htpasswd
AuthName "Protected Area"
require valid-user
Allow from 1.2.3.4
Satisfy Any
UPDATE: As of Apache 2.4, Order, Allow, Deny, and Satisfy directives should not be used anymore. So the new syntax is:
AuthType Basic
AuthUserFile /www/.site_htpasswd
AuthName "Protected Area"
<RequireAny>
Require ip 1.2.3.4
Require valid-user
</RequireAny>
Try changing first 2 lines to
Order deny,allow
Deny from all
Allow from 1.2.3.x
Replace your desired IP in the Allow from
Related
I am trying to only allow access to my raspberry pi from my website which is hosted from a provider. I found the following in the internet:
order deny,allow
deny from all
allow from 192.168.0.0/24
allow from ..external ip to pi..
allow from hurl.it
When I want for example hurl.it to get access to my pi, the pi blocks anyway. Do I make mistake handling with domains in htaccess?
Thanks for every response.
UPDATE:
order deny,allow
deny from all
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
allow from localhost
allow from 192.168.1
allow from 127.0.0.1
allow from ..external ip to pi..
Satisfy Any
I tried this one for the basic authorization.
I suggest you look at using Apache basic auth instead of this method you are looking at. Basic auth is simple to set up, and then you just access your Pi as:
http://user:password#123.123.123.123/
Replacing 123.123.123.123 with you external IP at home.
Also look at setting up HTTPS so communication is encrypted.
Update
You don't need the allow directives when using basic auth. Just order allow,deny and allow from all. The basic auth will stop anyone who is not authenticated. So just use:
order allow,deny
Allow from all
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
I want to restrict access to a complete website (apache 2.4) to certain IPs. On top of that I want to restrict access to certain subfolders to with user authentication. User auth is not working. Here is what I got:
In the vhost config I have
<Location />
# Localhost
Require ip 127.0.0.1i
# some other IP
Require ip 1.2.3.4
<Location>
Now I want the subfolder /secure/ to require a valid user login
<webroot>/secure/.htaccess looks like
<RequireAll>
Require all granted
Require user user1 user2 user3
AuthBasicProvider file
AuthType Basic
AuthName "Secure Folder Login"
AuthUserFile /securePath/userAuth
</RequireAll>
I can still access /secure from the IP 1.2.3.4 without user authentication. It feels like apache matches the IP the Require ip 1.2.3.4 directive (inside implicid RequireAny) and doesn't care about possible extra restrictions furhter down the line.
If you wish to block any IP but only the one in your list and provide a basic login promped for the allowed IPs you can do something like (inside your .htaccess):
Require all denied
<RequireAll>
Require valid-user
Require ip 100.04.04.04
AuthBasicProvider file
AuthType Basic
AuthName "Secure Folder Login"
AuthUserFile /htdocs/www/web_projects/.htpasswd
</RequireAll>
and for multiple IPs something like the following should work:
Require all denied
<RequireAll>
<RequireAny>
Require ip 78.53.160.0/19
Require ip 80.171.1.0/24
Require ip 80.171.2.0/23
Require ip 80.171.4.0/22
Require ip 80.171.8.0/21
Require ip 80.171.16.0/20
Require ip 80.171.32.0/19
Require ip 80.171.64.0/18
</RequireAny>
<RequireAll>
Require valid-user
AuthBasicProvider file
AuthType Basic
AuthName "Secure Folder Login"
AuthUserFile /htdocs/www/web_projects/.htpasswd
</RequireAll>
</RequireAll>
At least Location (out of Location, Directory, File and .htaccess directives) seem to be evaluated seperatly and last and in reverse order of appearance. I didn't check completely and I couldn't find docs on it.
Well long story short
I could achieve what I wanted by placing
<Location /secure/>
Require all denied
<RequireAll>
Require user user1 user2 user3
AuthBasicProvider file
AuthType Basic
AuthName "Secure Folder Login"
AuthUserFile /securePath/userAuth
</RequireAll>
</Location>
below the <Location />Require ip 1.2.3.4</Location> block in the vhost config (above did not work). Using either <Directory> block or .htaccess did not work.
Put only Require directives inside RequireAll or RequireAny blocks.
Also don't use Location blocks for file system objects (actual directories), use Directory instead.
<Directory /opt/secure>
Require all denied
AuthBasicProvider file
AuthType Basic
AuthName "Secure Folder Login"
AuthUserFile /opt/.htaccess
<RequireAll>
Require user1 user2 # or Require valid user
<RequireAny>
Require ip 78.53.160.0/19
Require ip 80.171.1.0/24
Require ip 80.171.2.0/23
Require ip 80.171.4.0/22
Require ip 80.171.8.0/21
Require ip 80.171.16.0/20
Require ip 80.171.32.0/19
Require ip 80.171.64.0/18
</RequireAny>
</RequireAll>
</Directory>
I know there are many questions about this topic, but i didn't found any solution that works.
I try to protect my web directory with htaccess password protection, but allow my local ip.
Somehow this doesn't work. On my local ip there is still password protection. If i use "Satisfy any" then the protection doesn't work at all and it is fully accessable.
<Directory "/srv/www/*">
Order Deny,Allow
Deny from all
Allow from 127.0.0.1 192.168.178.0/8
AuthType Basic
AuthName "Authentication Required"
AuthUserFile "/srv/www/.htpasswd"
Require valid-user
#Satisfy any
</Directory>
So if i understand documentation correctly:
Order Deny,Allow
First all Deny-rules are applied, and then the Allow-rules.
Problem: I have some files under /var/www/files/ that I want them to be accessed from specific IP addresses WITHOUT requiring user/password. However, I would like that any other IP address SHOULD require login to gain access.
This is in my httpd.conf:
<Directory /var/www/files/>
Order deny,allow
Deny from all
Allow from 192.168
AuthUserFile /etc/apache2/basic.pwd
AuthName "Please enter username and password"
AuthType Basic
Require user valid-user
</Directory>
But, if I understood correctly, this means that any client coming from 192.168.* will have access to that directory BUT will require a valid-user to view its content. And any other IP address will be denied. right?
Thank you in advance.
This is how it's done for Apache 2.4+ (since Satisfy Any is no longer supported).
<Directory /var/www/files/>
AuthType Basic
AuthName "Please enter your username and password"
AuthUserFile /var/www/files/.htpasswd
<RequireAny>
Require ip 22.33.44.55
Require valid-user
</RequireAny>
</Directory>
If you want to require both IP address -and- Login/Password, change <RequireAny> to <RequireAll>
I hope this helps someone - as it took me a while to figure it out.
edit: this may be accepted answer, but old. For new Apache installs, use Brians answer here
Add this: Satisfy Any (which means either of those 2 should be passed).
And the syntax is either:
Require valid-user
Or:
Require user <userid>
If your server is behind a proxy, you can't rely on the Require ip directly. However, you can use the Require env:
<Directory /var/www/files/>
AuthType Basic
AuthName "Please enter your username and password"
AuthUserFile /var/www/files/.htpasswd
SetEnvIF X-Forwarded-For "22.33.44.55" AllowIP
<RequireAny>
Require env AllowIP
Require valid-user
</RequireAny>
</Directory>
The source of the idea
At Apache 2.4+, if you also like to set a fixed username based on the IP block you could use AuthBasicFake directive together with runtime If directive.
This example with grant direct access to 22.33.44.55/32 and 66.77.88.99/32 and sets username demouser, all others must login.
<Location>
AuthType Basic
AuthName "Please enter your username and password"
AuthUserFile /var/www/files/.htpasswd
<If "-R '22.33.44.55/32' || -R '66.77.88.99/32'">
AuthBasicFake demouser
Require all granted
</If>
<Else>
Require valid-user
</Else>
</Location>
SetEnvIF X-Forwarded-For "192.168.135.159" AllowIP
SetEnvIF X-Forwarded-For "192.168.135.135" AllowIP
AuthType Basic
AuthName "admin"
AuthUserFile "/var/www/domain.com/cms/.htpasswd"
<RequireAll>
Require env AllowIP
require valid-user
</RequireAll>
İ also checked many variants. this code üorks with 2.4 version of apache 100%
now my apache configuration looks like this:
<Directory /usr/share/myweb/>
AuthType Basic
AuthName "myweb"
AuthUserFile /etc/apache2/.passwords
Require user mw
</Directory>
It allows everyone to web, but require password.
I would like to let some users (from local IP) to be allowed to see the website without a need of authentification. For others it should stay like it is - require password.
How can I do that?
I supposed I could just do it with Allow from xxx.xx., but it still requires the password.
Thanks for help.
Thanks for answer...this made it:
<Directory /path/to/myweb/>
Order allow,deny
AuthType Basic
AuthName "myweb"
AuthUserFile /etc/apache2/.passwd
Order allow,deny
Require user myweb
Allow from your.ip.add
Satisfy Any
</Directory>myweb.com
I've wondered about this before so I had a look round.
http://www.electrictoolbox.com/apache-password-protect-allow-ip/
it suggests you need to add to your config. I suspect it may be the lack of satisfy any that is tripping the login request, but I haven't tried it.
satisfy any
deny from all
allow from 192.168.1.
So you get
<Directory /usr/share/myweb/>
AuthType Basic
AuthName "myweb"
AuthUserFile /etc/apache2/.passwords
Require user mw
satisfy any
deny from all
allow from 192.168.1.
</Directory>