I'm sure this is possible, but its beyond my meager abilities with .htaccess files.
We have an internal php app that we use, we have basic security internally, but dont need to worry too much. I would like to make it available online for use when staff are out and about. I would like to have additional security based on htaccess or htpassword files.
Is it possible to write a htaccess file that does the following
If user is accessing from office.mydomain.com it means they are internal (office.mydomain.com resolves to an internal ip like 192.168.22.22) so allow unimpeded access
If the user is accessing from outside it will be external.myoffice.com - if this is the case as an added bit of security I would like to use .htaccess and a password file to get the user to enter an apache password.
Can anyone tell me how to write this with .htaccess file?
Update: Thanks for all the answers, I have posted what worked for me as an answer to help others.
You can use
RewriteCond %{REMOTE_ADDR} !^192\.168\.
to specify the condition of an external IP, or use
RewriteCond %{REMOTE_ADDR} ^192\.168\.
for the condition of a local IP.
You will just have to integrate these into your existing htaccess rules in a sensible way.
I think this does do what you want;
http://codesanity.net/2009/11/conditional-htpasswd-multienvironment-setups/
http://tomschlick.com/2009/11/08/conditional-htpasswd-multi-environments/
https://tomschlick.com/2009/11/08/conditional-htpasswd-multi-environments
Correct address for the resource as of 2022/01/15.
https://tomschlick.com/conditional-htpasswd-multi-environments/
Here you go
order deny,allow
allow from 192.168.22.0/255.255.255.0
deny from all
You can use a subnet mask to make sure the visitors are from the same network. If you need to address another network, just use those IP's (as the server sees them)
To Complete this answer the following Works.
#allows everything if its on a certain host
SetEnvIf HOST "^www.mysite.com" external_url
SetEnvIf HOST "^localhost" local_url
Order Deny,Allow
AuthName "Restricted Area"
AuthType Basic
AuthUserFile path/to/your/.htpasswd
AuthGroupFile /
Require valid-user
#Allow valid-user
Deny from all
Allow from env=external_url
Allow from env=local_url
Satisfy any
This pops up a Restricted Area login box if you visit via the www.mysite.com but displays nothing if you are coming locally.
Related
I have a website where I want to allow everyone to view http://localhost:8080/ but password protect all other URLs, for example, http://localhost:8080/home, http://localhost:8080/about, http://localhost:8080/blog-pretty-url, etc.
So far, this is my .htaccess code, but I could only password protect home and about pages, and exclude static files so that the homepage works fine.
SetEnvIf Request_URI (\/(home|about-us)).*(?!(.*(css|js|png|svg|ico|jpg))) auth=1
AuthName "Please login"
AuthType Basic
AuthUserFile "/var/www/html/.htpasswd"
# first, allow everybody
Order Allow,Deny
Satisfy any
Allow from all
Require valid-user
# then, deny only if required
Deny from env=auth
I tried this regex too, but it's not working: (\:\/\/).*(\/\w)(?!(.*(css|js|png|svg|ico|jpg)))
Any help in writing a regex so that it protects all URLs except '/' and excludes static files from the blacklist would be highly appreciated.
sadmansh,
You're on the right track but looking in the wrong direction. This is actually much more simple than it seems. All you need to do is password protect everything and then add a rule to allow all to visit a certain page which in your case is "http://localhost:8080/".
First, password protect every file/directory.
Afterwards, use the following to allow users to visit that particular link you want to give free access to.
Replace "index.html" with the file you would like to share.
<Files "/index.html">
Allow from all
Satisfy any
</Files>
Please let me know if this helps! Have a good one.
I would like to rewrite directories of my RootDocument into thei'r own addresses.
For exaimple, I would like to be able to visit: http://localhost/FOO and be redirected to http://FOO.dev. Please note that the URL domain is static ass all subdirectory domains will have the same tol-level domain. I need to create a redirect within chunk of code:
<VirtualHost *:80>
ServerName 127.0.0.1
ServerAlias localhost
DocumentRoot /usr/local/var/www
<Location />
Options All
AllowOverride All
Require all granted
</Location>
<LocationMatch ^/[^.].+/$>
RewriteEngine on
/*
I NEED A REWRITE HERE WHEN I REACH THE DIRECTORY LOCATION
AS LOCATION IS ALREADY MATCHED, I'M NOT SURE HOW TO EXTRACT IT
*/
</LocationMatch>
<LocationMatch ^/[.].+/$>
Options none
AllowOverride none
Require all denied
</LocationMatch>
</VirtualHost>
Since I have already figured out how to get into directories I need to be at, how would I use my logic to extract and redirect me into correct place?
You need a two-step-approach for this, since you have to handle two separate requests in the scenario you want to set up:
This is the rule to redirect clients to the new host name:
RewriteEngine on
RewriteRule ^/?(\w+)(/?.*)$ http://$1.dev$2 [R=301]
This is the rule inside that host to remap the request onto the internal folder in the file system again:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^(\w+)\.dev$
RewriteCond /%1 -d
RewriteRule ^/?(.*)$ /%1/$1 [END]
Obviously the rewriting needs to be loaded and enabled for this.
In case you receive back a http status 500 ("internal server error") for the first request (the one to be redirected) chances are that you are using a very old version of the apache http server. In that case try replacing the [END] flag with the [L] flag...
Above rules will work likewise in the http servers host configuration or in dynamic configuration files. However you should always prefer to place such rules inside the http servers (virtual) host configuration instead of using dynamic configuration files (.htaccess style files). Those files are notoriously error prone, hard to debug and they really slow down the server. They are only supported as a last option for situations where you do not have control over the host configuration (read: really cheap hosting service providers) or if you have an application that relies on writing its own rewrite rules (which is an obvious security nightmare).
A couple weeks ago, I had a wonderful time setting up an Apache and Django configuration to work while forcing SSL and operating behind an AWS load balancer.
Now that it is all working nicely, I'm still constantly receiving the common "Invalid HTTP_HOST header" error, and trying to figure out the right way to go about fixing it.
Searching has brought me to the following answer regarding the Apache configuration:
How to disable Django's invalid HTTP_HOST error?
Which recommends placing the following settings inside the <Directory></Directory> block in the VirtualHost file:
SetEnvIfNoCase Host .+ VALID_HOST
Order Deny,Allow
Deny from All
Allow from env=VALID_HOST}
This works, but according to Apache (https://httpd.apache.org/docs/2.4/howto/access.html) this method is deprecated.
I've read through the Apache docs but when I tried using the following code it just shut down access to the site and gave me a "Not Authorized" error.
<RequireAll>
Require host example.org
</RequireAll>
Not entirely sure what I'm missing. I know I can solve the problem using the first answer, just trying to figure out the "right" way using code that isn't deprecated. Site is using WSGIDaemonProcess to run the Django App and has the following set to force the SSL through AWS
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTP:X-Forwarded-For} !=""
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI}
No need to use mod_setenvif as HTTP_HOST is already a variable and you can evaluate it directly.
<Directory /var/www/html/>
Require expr %{HTTP_HOST} == "example.com"
Options
</Directory>
So, after messing with this for a long time I figured out that the problem I was dealing with may have something to do with the hostname reverse DNS lookup failing, since the IP address was pointing to an AWS EC2 instance instead of my domain.
After finally giving up on getting it right I returned to the post on how to disable the log error, and tried using the env variable, which seems to be working.
Apparently the correct format for Require is:
<Directory /var/www/html/>
SetEnvIfNoCase Host example\.com VALID_HOST
Require env VALID_HOST
Options
</Directory>
These guys had it right, just need to update it for the current "Require" directive.
How to disable Django's invalid HTTP_HOST error?
I want to redirect the user to the authentication page only if the request is 'https'.
Currently I have written the following in my .htaccess file to do the same, but it doesn't work.
SetEnvIf Request_Protocol ^HTTPS.* IS_HTTPS
AuthType shibboleth
AuthName "Login"
ShibRequireSession on
require user abcd
Allow from env=IS_HTTPS
Is the regex for determining HTTPS correct? Earlier I had the SetEnvIf statement as follows. This too didn't work.
SetEnvIf %{SERVER_PORT} ^80$ IS_NON_SSL
AuthType shibboleth
AuthName "Login"
ShibRequireSession on
require user abcd
Allow from env=!IS_NON_SSL
But as per the documentation for SetEnvIf directive (http://httpd.apache.org/docs/2.2/mod/mod_setenvif.html), the SERVER_PORT variable is not available.
I don’t think that the value Request_Protocol can be used to determine this – according to the docs page you linked, that contains something like (e.g., "HTTP/0.9", "HTTP/1.1", etc.) – so the protocol itself will always be HTTP; and that makes sense, as HTTPS is not a real “protocol”, but only the common name for HTTP with TLS “wrapped around it”, on the OSI level below it (6).
I’m not sure about the actual order of request processing (and don’t know where to find it right now off the top of my head) – but maybe you could combine this with mod_rewrite to achieve what you want? A RewriteCond is able to check whether HTTPS is used by checking the variable HTTPS for the value on – and a RewriteRule following that condition could set an environment variable for you using the [E] flag – something like this:
RewriteCond %{HTTPS} ^on$
RewriteRule . - [E=IS_HTTPS]
This will set the environment variable IS_HTTPS with an empty value, but that should be enough to check it with Allow from env=IS_HTTPS.
Mind giving this a try? As I said, I’m not sure if this will work because of processing order – but tryin’ cost nuffin, right?
You can try:
SetEnvIf Request_Protocol ^HTTPS.* IS_HTTPS
AuthType shibboleth
AuthName "Login"
ShibRequireSession on
require user abcd
Satisfy any
Order deny,allow
Deny from all
Allow from env=IS_HTTPS
Via Apache, is it possible to exclude access to my site if a particular page request www.mysite.com/this_page/ is made? The referrer IP address changes.
I realize that I can "catch" this request in my code and give back an error page, but I'd prefer for the request to never make it to my actual code. I can also just remove the page, but then my site would return its "page not found" page. So, still a page.
My host is Webfaction and I use Django. So it's Apache.
The reason is that I am seeing some weird activity to this particular page. For the curious, I am getting requests for this page about 20 times a day in bursts of 1-3 requests in 2 seconds. The IP addresses are Ukrainian. The referrers are mostly various Ukrainian websites, which seem real enough, but they do not contain an actual link to my webpage.
I don't think blocking a whole country is a good idea, but here's how to do it.
First, get a list of CIDRs of the country in question. For most countries, it will be a large list. One place to get that would be http://www.find-ip-address.org/ip-country/. Then, merely put those into an .htaccess or Apache config file:
<Location /this_page>
order allow, deny
deny from 5.1.0.0/19
deny from 5.22.156.0/22
deny from 5.34.176.0/21
deny from 5.53.112.0/21
deny from 5.56.24.0/21
deny from 5.57.64.0/21
deny from 5.58.0.0/16
deny from 5.83.16.0/21
deny from 5.104.32.0/19
deny from 5.105.0.0/16
#...
</Location>
(Leading whitespace is optional, .htaccess files don't need Location tags if you're happy blocking the whole directory.)
The above config keys on the client IP rather than the IP of the host of the referring link. That part is much harder to do, though perhaps keying on the Ukrainian TLD would be sufficient:
RewriteEngine on
RewriteCond %{HTTP_REFERER} ^https?://[^:/?#]*\.ua[:/?#]
RewriteRule ^/this_page - [F,L]
(Note that %{HTTP_REFERER} has no double Rs. The spec was misspelled, my config above was not.)
If you're getting slammed by high volume, you might want to consider dropping the connections at the firewall level rather than Apache. Again, that would be by client rather than by referrer.