I have a website where I want to allow everyone to view http://localhost:8080/ but password protect all other URLs, for example, http://localhost:8080/home, http://localhost:8080/about, http://localhost:8080/blog-pretty-url, etc.
So far, this is my .htaccess code, but I could only password protect home and about pages, and exclude static files so that the homepage works fine.
SetEnvIf Request_URI (\/(home|about-us)).*(?!(.*(css|js|png|svg|ico|jpg))) auth=1
AuthName "Please login"
AuthType Basic
AuthUserFile "/var/www/html/.htpasswd"
# first, allow everybody
Order Allow,Deny
Satisfy any
Allow from all
Require valid-user
# then, deny only if required
Deny from env=auth
I tried this regex too, but it's not working: (\:\/\/).*(\/\w)(?!(.*(css|js|png|svg|ico|jpg)))
Any help in writing a regex so that it protects all URLs except '/' and excludes static files from the blacklist would be highly appreciated.
sadmansh,
You're on the right track but looking in the wrong direction. This is actually much more simple than it seems. All you need to do is password protect everything and then add a rule to allow all to visit a certain page which in your case is "http://localhost:8080/".
First, password protect every file/directory.
Afterwards, use the following to allow users to visit that particular link you want to give free access to.
Replace "index.html" with the file you would like to share.
<Files "/index.html">
Allow from all
Satisfy any
</Files>
Please let me know if this helps! Have a good one.
Related
I have a public website with an admin area. So I want to protect this admin area using HTTP authentication.
The admin area has this URL: http://mypublicwebsite.com/myadminarea/
myadminareais not a physical directory on my server, there's a routing system based on the requested URL.
Is there an easy way to define that every URL that matches http://mypublicwebsite.com/myadminarea/* must use http authentication?
I've found this answer, but it seems too complicated to me.
Thanks.
You can use it using mod_setenvif and mod_auth. Place this code in your root .htaccess:
SetEnvIfNoCase Request_URI "^/myadminarea" SECURED
AuthType Basic
AuthName "Login Required"
AuthUserFile /full/path/to/passwords
Require valid-user
Order allow,deny
Allow from all
Deny from env=SECURED
Satisfy any
PS: Make sure you create passwords as per Apache manual instructions.
I've just found a solution using the LocationMatch apache directive, to be added in my virtualhost definition:
<VirtualHost *:8080>
...
<LocationMatch "/myadminarea/.*">
AuthType basic
AuthName "Login Required"
AuthUserFile /full/path/to/passwords
Require valid-user
Order allow,deny
Allow from all
</LocationMatch>
</VirtualHost>
I want to redirect the user to the authentication page only if the request is 'https'.
Currently I have written the following in my .htaccess file to do the same, but it doesn't work.
SetEnvIf Request_Protocol ^HTTPS.* IS_HTTPS
AuthType shibboleth
AuthName "Login"
ShibRequireSession on
require user abcd
Allow from env=IS_HTTPS
Is the regex for determining HTTPS correct? Earlier I had the SetEnvIf statement as follows. This too didn't work.
SetEnvIf %{SERVER_PORT} ^80$ IS_NON_SSL
AuthType shibboleth
AuthName "Login"
ShibRequireSession on
require user abcd
Allow from env=!IS_NON_SSL
But as per the documentation for SetEnvIf directive (http://httpd.apache.org/docs/2.2/mod/mod_setenvif.html), the SERVER_PORT variable is not available.
I don’t think that the value Request_Protocol can be used to determine this – according to the docs page you linked, that contains something like (e.g., "HTTP/0.9", "HTTP/1.1", etc.) – so the protocol itself will always be HTTP; and that makes sense, as HTTPS is not a real “protocol”, but only the common name for HTTP with TLS “wrapped around it”, on the OSI level below it (6).
I’m not sure about the actual order of request processing (and don’t know where to find it right now off the top of my head) – but maybe you could combine this with mod_rewrite to achieve what you want? A RewriteCond is able to check whether HTTPS is used by checking the variable HTTPS for the value on – and a RewriteRule following that condition could set an environment variable for you using the [E] flag – something like this:
RewriteCond %{HTTPS} ^on$
RewriteRule . - [E=IS_HTTPS]
This will set the environment variable IS_HTTPS with an empty value, but that should be enough to check it with Allow from env=IS_HTTPS.
Mind giving this a try? As I said, I’m not sure if this will work because of processing order – but tryin’ cost nuffin, right?
You can try:
SetEnvIf Request_Protocol ^HTTPS.* IS_HTTPS
AuthType shibboleth
AuthName "Login"
ShibRequireSession on
require user abcd
Satisfy any
Order deny,allow
Deny from all
Allow from env=IS_HTTPS
Via Apache, is it possible to exclude access to my site if a particular page request www.mysite.com/this_page/ is made? The referrer IP address changes.
I realize that I can "catch" this request in my code and give back an error page, but I'd prefer for the request to never make it to my actual code. I can also just remove the page, but then my site would return its "page not found" page. So, still a page.
My host is Webfaction and I use Django. So it's Apache.
The reason is that I am seeing some weird activity to this particular page. For the curious, I am getting requests for this page about 20 times a day in bursts of 1-3 requests in 2 seconds. The IP addresses are Ukrainian. The referrers are mostly various Ukrainian websites, which seem real enough, but they do not contain an actual link to my webpage.
I don't think blocking a whole country is a good idea, but here's how to do it.
First, get a list of CIDRs of the country in question. For most countries, it will be a large list. One place to get that would be http://www.find-ip-address.org/ip-country/. Then, merely put those into an .htaccess or Apache config file:
<Location /this_page>
order allow, deny
deny from 5.1.0.0/19
deny from 5.22.156.0/22
deny from 5.34.176.0/21
deny from 5.53.112.0/21
deny from 5.56.24.0/21
deny from 5.57.64.0/21
deny from 5.58.0.0/16
deny from 5.83.16.0/21
deny from 5.104.32.0/19
deny from 5.105.0.0/16
#...
</Location>
(Leading whitespace is optional, .htaccess files don't need Location tags if you're happy blocking the whole directory.)
The above config keys on the client IP rather than the IP of the host of the referring link. That part is much harder to do, though perhaps keying on the Ukrainian TLD would be sufficient:
RewriteEngine on
RewriteCond %{HTTP_REFERER} ^https?://[^:/?#]*\.ua[:/?#]
RewriteRule ^/this_page - [F,L]
(Note that %{HTTP_REFERER} has no double Rs. The spec was misspelled, my config above was not.)
If you're getting slammed by high volume, you might want to consider dropping the connections at the firewall level rather than Apache. Again, that would be by client rather than by referrer.
How can I prevent users from accessing a directory directly without preventing the files and sub directories being accessed? Please note that all my pages are written in php and the file type .php is omitted using htaccess url rewrites.
When I tried to attain waht I need using the following htaccess lines, I get 403 errors for all my url's, as they do not have a file type in them.
# Deny access to everything by default
Order Deny,Allow
deny from all
# Allow access to html files
<Files *.*>
allow from all
</Files>
The .htaccess file is in the dir folder
When try to access http://www.domain.com/dir/sub/page I get a 403 error. But when I try to access http://www.domain.com/dir/sub/page.php (note the .php file type) everything works fine. How can I restrict the prohibition ONLY to DIRECTORIES, with respect to my rewrite rules?
I need to restrict direct access only to directories and sub directories. I need to access whatever the flies inside the directories and sub directories.
Related questions like this and this did not help me since the omission of file type was not applicable to those.
I need to restrict direct access only to directories and sub directories. I need to access whatever the flies inside the directories and sub directories.
What I meant was to prohibit directory listing. And show to 403 instead
You can try following rule:
# disable directory listing
Options -Indexes
I'm sure this is possible, but its beyond my meager abilities with .htaccess files.
We have an internal php app that we use, we have basic security internally, but dont need to worry too much. I would like to make it available online for use when staff are out and about. I would like to have additional security based on htaccess or htpassword files.
Is it possible to write a htaccess file that does the following
If user is accessing from office.mydomain.com it means they are internal (office.mydomain.com resolves to an internal ip like 192.168.22.22) so allow unimpeded access
If the user is accessing from outside it will be external.myoffice.com - if this is the case as an added bit of security I would like to use .htaccess and a password file to get the user to enter an apache password.
Can anyone tell me how to write this with .htaccess file?
Update: Thanks for all the answers, I have posted what worked for me as an answer to help others.
You can use
RewriteCond %{REMOTE_ADDR} !^192\.168\.
to specify the condition of an external IP, or use
RewriteCond %{REMOTE_ADDR} ^192\.168\.
for the condition of a local IP.
You will just have to integrate these into your existing htaccess rules in a sensible way.
I think this does do what you want;
http://codesanity.net/2009/11/conditional-htpasswd-multienvironment-setups/
http://tomschlick.com/2009/11/08/conditional-htpasswd-multi-environments/
https://tomschlick.com/2009/11/08/conditional-htpasswd-multi-environments
Correct address for the resource as of 2022/01/15.
https://tomschlick.com/conditional-htpasswd-multi-environments/
Here you go
order deny,allow
allow from 192.168.22.0/255.255.255.0
deny from all
You can use a subnet mask to make sure the visitors are from the same network. If you need to address another network, just use those IP's (as the server sees them)
To Complete this answer the following Works.
#allows everything if its on a certain host
SetEnvIf HOST "^www.mysite.com" external_url
SetEnvIf HOST "^localhost" local_url
Order Deny,Allow
AuthName "Restricted Area"
AuthType Basic
AuthUserFile path/to/your/.htpasswd
AuthGroupFile /
Require valid-user
#Allow valid-user
Deny from all
Allow from env=external_url
Allow from env=local_url
Satisfy any
This pops up a Restricted Area login box if you visit via the www.mysite.com but displays nothing if you are coming locally.