htaccess - using password OR ip whitelist_问答_开发者

htaccess - using password OR ip whitelist

开发者 https://www.devze.com 2023-04-10 18:33 出处：网络

So I want to restrict access to a url.Now if they are coming from a given IP address then they shouldn\'t be prompted for a passw开发者_运维百科ord.If they are not coming from a givin IP address then

相关专题：.htaccess

So I want to restrict access to a url. Now if they are coming from a given IP address then they shouldn't be prompted for a passw开发者_运维百科ord. If they are not coming from a givin IP address then they should be prompted for a password.

so a either or of:

AuthUserFile /some/path/.htpasswd
AuthName "Please Log In"
AuthType Basic
require valid-user

and:

order deny,allow

deny from all
allow from x.x.x.x

You can use the Apache "Satisfy" directive.

Here is an example of using it :

AuthType Basic
AuthName "Please Log In"
AuthUserFile /some/path/.htpasswd
Require valid-user
Order deny,allow
Deny from all
Allow from 127.0.0.1
Satisfy any

Access without password is only allowed from 127.0.0.1.

Hope this helps.

With Apache 2.4 Satisfy is still available, but deprecated

Note

The directives provided by mod_access_compat have been deprecated by mod_authz_host. Mixing old directives like Order, Allow or Deny with new ones like Require is technically possible but discouraged. This module was created to support configurations containing only old directives to facilitate the 2.4 upgrade. Please check the upgrading guide for more information.

In your case Allow from 1.2.3.4 is replaced by Require ip 1.2.3.4

Combining several Requires (like Require valid-user and Require ip) can be done by Authorization Containers. So saying the client must either provide a password or come from a specific IP address, would be done by surrounding the directives with RequireAny, e.g.

<RequireAny>
    Require valid-user
    Require ip 1.2.3.4
</RequireAny>

Although, this is a special case as described at the end of Require

When multiple Require directives are used in a single configuration section and are not contained in another authorization directive like <RequireAll>, they are implicitly contained within a <RequireAny> directive. Thus the first one to authorize a user authorizes the entire request, and subsequent Require directives are ignored.

In other words, RequireAny is optional here, and you can just list

Require valid-user
Require ip 1.2.3.4

This workes perfect for me:

AuthType Basic
AuthName "myserver publicname"
AuthUserFile "/myserverpath/.htpasswds/public/passwd"
require ip 100.12.255.233
require valid-user

Note: Just placed 'require ip' with 'my example ip' before 'require valid-user' and it does the trick. I can log in from my ip without password requested, but if I access from other locations or my mobile devices I need the password.

To set 'Satisfy any' was NOT GOOD FOR ME (!), because it disabled other .htaccess settings in lower hierarchy of my app and made my site insecure.