password protect directory during certain hours

I know for a fact that this can be done with mod_rewrite.  Two server 'variables' are available to the rewrite engine that you would probably be interested in:

TIME_*  (TIME_YEAR, TIME_MON, TIME_DAY, ...)  (obviously these represent time in various aspects)

REMOTE_USER  (this would have the username of the user who had authenticated to your password protected directory).

I would imagine something like this in your httpd.conf or .htaccess file in the password protected directory:

RewriteEngine On
RewriteCond %{TIME_HOUR}%{TIME_MIN} < 0700
RewriteCond %{TIME_HOUR}%{TIME_MIN} > 1900
RewriteCond %{REMOTE_USER} = "user1" [OR]
RewriteCond %{REMOTE_USER} = "user2" [OR]
RewriteCond %{REMOTE_USER} = "user3"
RewriteRule ^.*\.html$ restricted.html

You can probably find all the info you need from these two pages:

http://httpd.apache.org/docs/mod/mod_rewrite.html
http://httpd.apache.org/docs/misc/rewriteguide.html

The rewriting guide has an example of basically the above.

So you know, I haven't tested this setup. ;)


One other thought...

The Squid proxy server can be run as a 'reverse proxy', meaning it's basically an httpd accelerator.  It has a lot of powerful features to describe when a certain resource is available or not.  You could easily place the squid server logically in 'front' of your apache server, and load both the authentication and time aspects into it.  This also gives you the added bonus of the powerful cacheing engine as well.  Something to think about at least.

an interesting note regarding my rewrite suggestion comes from the rewrite documentation...

There is the special format %{LA-U:variable} for look-aheads which perform an internal (URL-based) sub-request to determine the final value of variable. Use this when you want to use a variable for rewriting which is actually set later in an API phase and thus is not available at the current stage. For instance when you want to rewrite according to the REMOTE_USER variable from within the per-server context (httpd.conf file) you have to use %{LA-U:REMOTE_USER} because this variable is set by the authorization phases which come after the URL translation phase where mod_rewrite operates. On the other hand, because mod_rewrite implements its per-directory context (.htaccess file) via the Fixup phase of the API and because the authorization phases come before this phase, you just can use %{REMOTE_USER} there.

So, if your password protected directory is in the .htaccess file, you're safe.  However, if it's in your httpd.conf file, you're going to need to use %{LA-U:REMOTE_USER} instead.

Thanks bobsledbob i'll give that a try. The directory I'm trying to protect is https://mysite.com/safedir

This dir has a .htaccess file in it with the authorized users in the file. Is this where you suggest the Rewrite occur?

The other hack, though much less elegant I thought about was a cronjob that would replace the .htaccess file with the appropriate one when needed and then restore the original when needed.

Thanks
Alex

bobsledbob - your suggestion was right on.

Here is the exact syntax I used.
# Redirect demo2 if time before 11am and after 2pm
RewriteEngine on
RewriteCond %{TIME_HOUR}%{TIME_MIN} <1100 [OR]
RewriteCond %{TIME_HOUR}%{TIME_MIN} >1400
RewriteCond %{REMOTE_USER} ^demo2$
RewriteRule ^(.*) http://yahoo.com [L]

Thanks Alex

Alex,

Looks real good.  Nice job.  Short window of opportunity for demo2 (only 3 hours). ;)

Take care,

Adam