How to do conditional .htaccess password protect

Asked 9/3, 2011 at 21:21 Answered 28/2, 2012 at 5:54

Solved .htaccess conditional-statements passwd setenv ifdefine

I'm trying to password protect a specific url using a .htaccess. Different urls point to the same files but have different workings. I now need to password protect only one url. I'm trying to do this using setenvif but it doesn't seem to work. I might not fully understand the purpose or use of the apache setenv module.

This is my code what doesn't seem to work

SetEnvIfNoCase Host "topasswordprotect\.domain\.com$" protecturl
<IfDefine protecturl>
  Require valid-user
  AuthName "Please enter your name and password"
  AuthType Basic
  AuthUserFile .htpasswd
</IfDefine>

Lagomorph answered 9/3, 2011 at 21:21 Comment(1)

Related question: Conditionally require HTTP authentication depending on apache env variable – Truthvalue 23/9, 2016 at 4:8

I finally figured it out. I indeed had to use the mod_rewrite engine. I was determined to have a solution which didn't involve me having to make extra files or directories.

Same files, no extra directories, one .htaccess:

# Case we are in the protected area!
RewriteCond %{REQUEST_FILENAME} index.php [OR]
RewriteCond %{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_URI} ^(\/){1}$
RewriteCond %{REQUEST_FILENAME} !-d [OR]
RewriteCond %{REQUEST_URI} ^(\/){1}$
RewriteCond %{HTTP_HOST} ^(protected)\.mydomain\.com$
RewriteRule ^(.*)$ admin.php%{REQUEST_URI} [L]

#default rewrite
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php/$1 [L]

#only protect access to admin.php which is a symlink to index.php
<FilesMatch "admin.php">
  AuthUserFile .htpasswd
  AuthName EnterPassword
  AuthType Basic
  require valid-user
</FilesMatch>

Lagomorph answered 11/3, 2011 at 1:12 Comment(2)

Hi, you are passwording access to a file here, but how can you password protect a blog that doesn't physically exist as ...com/blogname/ but is redirected using htacess and the permalinks? – Vino 21/4, 2011 at 9:54

Since you rewrite everything /blogname to use file.php and secure file.php an voila, protected! it works really well! – Lagomorph 26/8, 2013 at 20:58

Well, this can actually be achieved without mod_rewrite and with SetEnvIf. I needed it for dev site to test how Facebook OpenGraph tags work.

# allow facebook external hit
SetEnvIf user-agent "facebookexternalhit/1.1" allowthis
# disallow some other stuff
SetEnvIfNoCase Host "topasswordprotect\.domain\.com$" !allowthis

AuthType Basic
AuthName "dev access"
AuthUserFile .htpasswd
Require valid-user

Allow from allowthis=1
Satisfy Any

The IfDefine works on defines which are not same as environment variables.

A quote from apache docs:

The parameter-name argument is a define as given on the httpd command line via -Dparameter- , at the time the server was started.

Anatto answered 28/2, 2012 at 5:54 Comment(0)

Might not be directly possible directly but could you have another password protected directory which has the original directory linked into it? You could the use mod_rewrite to redirect the matching requests to password protected directory.

RewriteEngine on
RewriteCond %{HTTP_HOST} ^www.myhost.tld$
RewriteRule ^/foo/(.*)$ /bar/linkeddir/$1

Halfbeak answered 9/3, 2011 at 21:43 Comment(0)

Recommended topics

Hot tags