Apache .htaccess - applying basic authentication conditionally based on environment or hostname
Asked Answered
F

6

15

My dev setup: Mac OSX 10.7.4 / Apache 2.2.21 / PHP 5.3.10

I wish to add conditional logic to my .htaccess files depending on dev vs live environment. for example i want to have authentication on the live server but not on the dev server. i have in my httpd.conf

SetEnv DEV 1

I have confirmed that this var is set by checking the output from phpinfo(). then in my .htaccess file

<IfDefine !DEV>
  AuthType Basic
  AuthName "password protected"
  AuthUserFile /path/to/.htpasswd
  Require valid-user
</IfDefine>

...but I am still prompted for password on my local dev. it appears that the DEV variable is not available to .htaccess. I do have AllowOverride All set in my httpd.conf for my doc root. Any ideas?

Fucus answered 17/6, 2012 at 18:26 Comment(1)
I think a better answer is: #6143676Disintegration
U
22

I am fresh off of about 4 hours into this problem, and I believe I have the final answer and can summarize for everyone how to solve this particularly painfull problem.

I am using Windows 7 Home Premium with Apache 2.2x and Php 5.3 as my dev machine. I too want to have a DEV environment variable, which I can use in my .htaccess files to turn off Rewriting and other directives which are not valid on my develpment environment but are critical to my production environment.

My .htaccess file looks like this;

<IfDefine !__DEV__>
    AddType application/x-httpd-php53 .php
</IfDefine>

HostGator informed me that in order to have php 5.3 I needed to modify my htaccess file like this to enable it or I'd only have php 5.2. But I already have it on my dev machine so, this directive was causing my customer website to crash when I viewed it locally. Everything I'm about to explain has allowed me to keep ONE .htaccess file in my Git Repository, which works in both locations.

First, let me clear/sum up all the things I learned while scouring the internet for the way to use IfDefine and SetEnv to solve this issue;

  1. The IfDefine directive in Apache, Only , ONLY and when I say only i mean ONLY, responds to parameters passed at the command line. Let me emphasize that a little. ONLY COMMAND LINE!
  2. SetEnv and SetEnvIf, are two entirely different things. One (SetEnv) is for use in the conf files, setting environment variables (specific to apache) which are set at SERVER START TIME. SetEnfIf is used at REQUEST TIME and is only used to determine what to set based on REQUEST variables.
  3. The IfDefine directive does not read variables set by SetEnv or SetEnvIf. Period. There's no argument, there's no question, there's no "but i thought..." NO. It doesn't, so get over it.

The short answer is NO, you can't just use "SetEnv DEV 1" in httpd.conf and then use IfDefine to detect it in your .htaccess file, which would seem intuitive and reasonable based on the syntax and nature of programming logic any of us are used to. Recall that we are not in fact programming anything, that these are config files and of course they don't conform to this expectation simply because it seems like they should.

The Answer

So this means that I have to figure out how to add a startup parameter to Apache, well for the Linux Guys, that answer is readily available, you just have to add the right stuff to the envvars file, but what about us poor windows junkies?

Well for windows users it gets more fun for the following reasons:

  1. Windows does not allow you to permanently add startup parameters in the services configuration for Apache2.2 (it doesn't work, don't try it, I've done it a million times, trust me). This is true, if you go in there and try to put in your own parameters, it will only work one time and then the parameter field is empty the next time you open the dialog. I don't know why this is the case, but it seems that those parameters are intended for testing, not a permanent modification.
  2. When Apache is installed it creates "Start", "Stop" and "Restart" shortcuts in the start menu, as well as installs the Apache Services Monitor. BUT the shortcuts in the start menu use different startup parameters than those used by apache services monitor. So if you start/stop apache using a combination of these methods you will get different results depending on what method you used. However, you can put the -D "__DEV__" in the start menu shortcut and it will work!

Steps to Solve It

To permanently and universally setup a __DEV__ environment variable which you can reference using IfDefine in .htaccess files, on a Windows Development environment which will work whether you start Apache using a service or the shortcuts in the start menu or using NET START/STOP on the command line, do the following:

  1. Open the properties for the start menu shortcut and extract the command you find for starting Apache there. Mine was; "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\bin\httpd.exe" -w -n "Apache2.2" -k start

  2. Modify it to include the new -D __DEV__ variable, which MUST go at the start immediately following httpd.exe; "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\bin\httpd.exe" -D "__DEV__" -w -n "Apache2.2" -k start

  3. Your start menu shortcut will now start apache with your dev variable in place.

  4. Go to a command line (as administrator)

  5. Type: net stop apache2.2 (or whatever your service name is for apache)

  6. Now type in (or copy-paste) the same command as is used in the start menu shortcut above into the command line but make the following change to it; "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\bin\httpd.exe" -D "__DEV__" -w -n "Apache2.2" -k config

  7. Note the change of the word start to config. What this magical command does is saves the settings you are seeing on the screen to the settings stored with the service in Windows. Hit Enter. From this point forward your variable will be passed whenever you start the service, the Apache Services Monitor starts the service, or windows starts the service.

Sorry for the novel everyone, I hope it helps some other weary soul out there to have all this info summarized and explained, I know it would have helped me! :D

Universally answered 7/9, 2012 at 18:13 Comment(2)
Thanks for the tips. I'm running Apache as part of XAMPP on Windows XP (as a service). The easiest/only way I found was to modify the registry key: HKLM\SYSTEM\CurrentControlSet\Services\Apache2.2\ImagePath to "C:\xampp\apache\bin\apache.exe" -DLOCAL -k runservice. "LOCAL" being the parameter name in my case.Costin
You're welcome. I've tried XAMPP, its great but it doesn't teach you much about managing Apache, so I always set it all up from scratch as much as possible.Universally
G
6

Another option to my first answer is use the Allow directive.

Look at: http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#allow

Order deny,allow
Deny from all
AuthType Basic
AuthName "password protected"
AuthUserFile /path/to/.htpasswd
Require valid-user
Allow from env=DEV
Satisfy Any

This will only check if DEV exists not the value, thats how apache works. Replace (or add) "Allow" with "Allow from 127.0.0.1" to have your localhost always be in dev mode.

This states that any of the conditions are acceptable, where the conditions are: password or from 127.0.0.1. If you develop on your localhost you can use 127.0.0.1, or just replace that with any ip you develop with. This don't need to be wrapped in anything, just placed in your htaccess file. I use virtual hosts, so I would place it there.

Source (I changed it to look your your original code): http://www.askapache.com/htaccess/apache-authentication-in-htaccess.html#allow-conditional

Godolphin answered 27/6, 2012 at 6:7 Comment(0)
M
4

2 years on and I'm having similar issues. Specifically, we are auto-deploying to an AWS OpsWorks stack and have no control over the placement of a .htpasswd file (used to obscure work during development).

Our final working solution was along the lines of this (Apache 2.2.25):

# check the host against a regex, defining env=DEV if it matches
# this guy matches localhost, dev.project and 10.1.X.X
SetEnvIfNoCase Host "^(localhost|dev\.project|10\.1(\.\d+){2})$" DEV

AuthType Basic
AuthName "Restricted"

# auth file location, in our case defined by an AWS OpsWorks auto-deployment
# this only gets loaded if the regex above doesn't match, which is handy
AuthUserFile /srv/www/project/current/.htpasswd 

Require valid-user
Satisfy    any
Order      deny,allow
Deny from all
Allow from env=DEV

This solution is flexible enough to allow multiple development environments access while auth checking any number of others. No need for ignoring or editing the htaccess before a git commit. An environment variable might seem overkill but it allows for a regular expression and could be used elsewhere as well.

See: http://httpd.apache.org/docs/2.2/howto/access.html

Mendive answered 1/4, 2014 at 20:34 Comment(2)
Thanks, a variation on this (moving "Require valid-user") to the bottom allows me to require authentication only for a specific URL or domain.Eulogia
Thank you, I tried Michael Ozeryansky's solution, but that didn't work for me. It's funny that you have to move the directives around. In my environment, (apache 2.2), i had to allow either with authentication, or a user-agent. This variant worked for me: SetEnvIf User-Agent ^MySpecialUserAgent$ noauth=1 AllowOverride All order deny,allow AuthType Basic AuthName "Basic Authentication" [... AUTH Directives...] Require valid-user Satisfy Any Allow from env=noauthManganate
S
2

Solution for Debian/Ubuntu:

In /etc/apache2/envars one has to change:

## If you would like to pass arguments to the web server, add them below
## to the APACHE_ARGUMENTS environment.
#export APACHE_ARGUMENTS=''

to

## If you would like to pass arguments to the web server, add them below
## to the APACHE_ARGUMENTS environment.
export APACHE_ARGUMENTS='-D __DEV__'

Now one can use

<IfDefine !__DEV__>
    ...
</IfDefine>
Selfabsorption answered 25/4, 2014 at 20:14 Comment(0)
G
1

I do love answering questions, but a quick google search gave me your answer. Check out the apache documentation: http://httpd.apache.org/docs/2.0/mod/core.html#ifdefine

The IfDefine directive can only test a "parameter-name", and a "parameter-name" is a variable set by httpd on startup.

Also check out this site, and scroll down to the table: http://turboflash.wordpress.com/2010/05/27/apache-environment-variables-visibility-with-setenv-setenvif-and-rewriterule-directives/

What you are asking is still possible if you just start your dev webserver like this:

$ httpd -DDEV

This will define the variable DEV. Note that you don't need to set it to anything, being defined is basically setting it to 1/true. If it doesn't exist it's like being set to false/0/null/etc...

Godolphin answered 27/6, 2012 at 5:53 Comment(0)
B
1

I've solved this problem using a different approach based on AccessFileName directive.

In my MAMP environment, I've added the following to <VirtualHost> configuration:

AccessFileName .htaccess_dev

Then, I've scanned the application directory for .htaccess files and created corresponding symlinks to the .htaccess_dev version so to have identical versions for all of them and have the application to work on my development environment.

Then, I've located the only .htaccess file containing the path to the .htpasswd file and removed the symlink and created instead a modified copy of it.

I've this in .htaccess file:

## production

AuthType Basic
AuthName "Admin"
AuthUserFile /srv/users/prod/apps/appname/public/sys-admin/.htpasswd
require valid-user

And this in .htaccess_dev

## development

AuthType Basic
AuthName "Admin"
AuthUserFile /Users/fregini/Work/MAMP/appname/sys-admin/.htpasswd 
require valid-user
Baryton answered 18/4, 2019 at 8:51 Comment(1)
wow this is the best solution without messing around with variables, also with MAMP PRO 6 and apache 2.4 some other tricks are more complicatedMarauding

© 2022 - 2024 — McMap. All rights reserved.