Solved

Can I allow one user access without login, but require login from all others?

Posted on 2004-08-13
8
449 Views
Last Modified: 2012-06-27
Hi all, I'm looking for a way through .htaccess that I can allow one user access to a directory without using username/password but require everyone else to have to login with username/password.

Would it be best to use SetEnvIf? And how?

Any suggestions would be appreciated.
0
Comment
Question by:ziffgone
  • 4
  • 3
8 Comments
 
LVL 9

Expert Comment

by:ronan_40060
ID: 11798053
Hi ziffgone
You could use Allow and deny

The Allow and Deny directives let you allow and deny access based on the host name, or host address, of the machine requesting a document. The Order directive goes hand-in-hand with these two, and tells Apache in which order to apply the filters.

The usage of these directives is:

Allow from address

where address is an IP address (or a partial IP address) or a fully qualified domain name (or a partial domain name); you may provide multiple addresses or domain names, if desired.

For example, if you have someone spamming your message board, and you want to keep them out, you could do the following:

Deny from 205.252.46.165

Visitors coming from that address will not be able to see the content covered by this directive. If, instead, you have a machine name, rather than an IP address, you can use that.

Deny from host.example.com

And, if you'd like to block access from an entire domain, you can specify just part of an address or domain name:

Deny from 192.101.205
Deny from cyberthugs.com moreidiots.com
Deny from ke

Using Order will let you be sure that you are actually restricting things to the group that you want to let in, by combining a Deny and an Allow directive:

Order deny,allow
Deny from all
Allow from dev.example.com

Listing just the Allow directive would not do what you want, because it will let folks from that host in, in addition to letting everyone in. What you want is to let only those folks in

------------------------------------------------------------------------------------------------------------------------------------------------
Allow Directive
Description:      Controls which hosts can access an area of the server
Syntax:      Allow from all|host|env=env-variable [host|env=env-variable] ...
Context:      directory, .htaccess
Override:      Limit
Status:      Base
Module:      mod_access

The Allow directive affects which hosts can access an area of the server. Access can be controlled by hostname, IP Address, IP Address range, or by other characteristics of the client request captured in environment variables.

The first argument to this directive is always from. The subsequent arguments can take three different forms. If Allow from all is specified, then all hosts are allowed access, subject to the configuration of the Deny and Order directives as discussed below. To allow only particular hosts or groups of hosts to access the server, the host can be specified in any of the following formats:

A (partial) domain-name
    Example:

    Allow from apache.org

    Hosts whose names match, or end in, this string are allowed access. Only complete components are matched, so the above example will match foo.apache.org but it will not match fooapache.org. This configuration will cause Apache to perform a double reverse DNS lookup on the client IP address, regardless of the setting of the HostnameLookups directive. It will do a reverse DNS lookup on the IP address to find the associated hostname, and then do a forward lookup on the hostname to assure that it matches the original IP address. Only if the forward and reverse DNS are consistent and the hostname matches will access be allowed.
A full IP address
    Example:

    Allow from 10.1.2.3

    An IP address of a host allowed access
A partial IP address
    Example:

    Allow from 10.1

    The first 1 to 3 bytes of an IP address, for subnet restriction.
A network/netmask pair
    Example:

    Allow from 10.1.0.0/255.255.0.0

    A network a.b.c.d, and a netmask w.x.y.z. For more fine-grained subnet restriction.
A network/nnn CIDR specification
    Example:

    Allow from 10.1.0.0/16

    Similar to the previous case, except the netmask consists of nnn high-order 1 bits.

Note that the last three examples above match exactly the same set of hosts.

IPv6 addresses and IPv6 subnets can be specified as shown below:

Allow from fe80::a00:20ff:fea7:ccea
Allow from fe80::a00:20ff:fea7:ccea/10

The third format of the arguments to the Allow directive allows access to the server to be controlled based on the existence of an environment variable. When Allow from env=env-variable is specified, then the request is allowed access if the environment variable env-variable exists. The server provides the ability to set environment variables in a flexible way based on characteristics of the client request using the directives provided by mod_setenvif. Therefore, this directive can be used to allow access based on such factors as the clients User-Agent (browser type), Referer, or other HTTP request header fields.
Example:

SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in
<Directory /docroot>
Order Deny,Allow
Deny from all
Allow from env=let_me_in
</Directory>

In this case, browsers with a user-agent string beginning with KnockKnock/2.0 will be allowed access, and all others will be denied.
Deny Directive
Description:      Controls which hosts are denied access to the server
Syntax:      Deny from all|host|env=env-variable [host|env=env-variable] ...
Context:      directory, .htaccess
Override:      Limit
Status:      Base
Module:      mod_access

This directive allows access to the server to be restricted based on hostname, IP address, or environment variables. The arguments for the Deny directive are identical to the arguments for the Allow directive.
Order Directive
Description:      Controls the default access state and the order in which Allow and Deny are evaluated.
Syntax:      Order ordering
Default:      Order Deny,Allow
Context:      directory, .htaccess
Override:      Limit
Status:      Base
Module:      mod_access

The Order directive controls the default access state and the order in which Allow and Deny directives are evaluated. Ordering is one of

Deny,Allow
    The Deny directives are evaluated before the Allow directives. Access is allowed by default. Any client which does not match a Deny directive or does match an Allow directive will be allowed access to the server.
Allow,Deny
    The Allow directives are evaluated before the Deny directives. Access is denied by default. Any client which does not match an Allow directive or does match a Deny directive will be denied access to the server.
Mutual-failure
    Only those hosts which appear on the Allow list and do not appear on the Deny list are granted access. This ordering has the same effect as Order Allow,Deny and is deprecated in favor of that configuration.

Keywords may only be separated by a comma; no whitespace is allowed between them. Note that in all cases every Allow and Deny statement is evaluated.

In the following example, all hosts in the apache.org domain are allowed access; all other hosts are denied access.

Order Deny,Allow
Deny from all
Allow from apache.org

In the next example, all hosts in the apache.org domain are allowed access, except for the hosts which are in the foo.apache.org subdomain, who are denied access. All hosts not in the apache.org domain are denied access because the default state is to deny access to the server.

Order Allow,Deny
Allow from apache.org
Deny from foo.apache.org

On the other hand, if the Order in the last example is changed to Deny,Allow, all hosts will be allowed access. This happens because, regardless of the actual ordering of the directives in the configuration file, the Allow from apache.org will be evaluated last and will override the Deny from foo.apache.org. All hosts not in the apache.org domain will also be allowed access because the default state will change to allow.

The presence of an Order directive can affect access to a part of the server even in the absence of accompanying Allow and Deny directives because of its effect on the default access state. For example,

<Directory /www>
Order Allow,Deny
</Directory>

will deny all access to the /www directory because the default access state will be set to deny.

The Order directive controls the order of access directive processing only within each phase of the server's configuration processing. This implies, for example, that an Allow or Deny directive occurring in a <Location> section will always be evaluated after an Allow or Deny directive occurring in a <Directory> section or .htaccess file, regardless of the setting of the Order directive. For details on the merging of configuration sections, see the documentation on How Directory, Location and Files sections work.


------------------------------------------------------------------------------------------------------------------------------------------------
Hope it helps
Good Luck
Ronan


 
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11799146
> .. can allow one user access ..
how do you (httpd) identify this user?
0
 
LVL 14

Author Comment

by:ziffgone
ID: 11800589
@ahoffmann

I was hoping either through the user's Ip Address, or, if that fails, through an env. variable? (We could probably also set it up to check referer instead, (probably easiest), and I can place a link from an Admin page to the directory). But I'm not sure how the evironment variable works. Can I have the user in question submit a for with a hidden value and give them access to the directory? So then their access to the directory would be a simple button click of the form submit.

I imagine we would have the .htaccess first check to see if the user arriving was the one who can enter, and if not, then ask for username and password.

Regards...
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 11800798
>  the user's Ip Address,
not reliable 'cause it could be a proxy (or are you talking about LAN only?)

>  through an env. variable
that's exectly my question: what's the condition to set it?

>  to check referer
not reliable: can be set to whatever I like ;-)

>  with a hidden value
same problem as referer

> would have the .htaccess first check to see if the user arriving was the one who can enter
question again: how do you identify this user?

when using .htaccess you only have a user if (s)he identified before using basic auth or whatever.
Or you need some kind of session, which requires some programming on your server and a login (at least at very first time) by the user.
Common techniques to transport sessionIDs are cokkies or URL-rewriting, both have pros and cons.
0
 
LVL 14

Author Comment

by:ziffgone
ID: 11803155
Ok, here's the senario, I have a case where certain directories can be accessed by the members of a site through login via .htaccess. The Administrator of the site would like to access the directories without logging in. Just a nuisance for him.

I was actually asking this question for another in a different channel, but he now doesn't want to fool around with the .htaccess files, (he's not familiar with and has a VERY limited knowledge regarding .htaccess and is afraid to go ahead with this, he has abandoned the idea). But, this brings me an opportunity to learn something new, so I will keep this question open for myself.

Regards...
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11803348
there is no way to distinguish *exactly one* user from *all* others without asking before,
henc there must be at least on point where the user (human) identifies himself (account)
Another way would be https with client certificates, then exactly one user (not realy true,
the browser providing the client cert) can be identified by the server.
0
 
LVL 14

Author Comment

by:ziffgone
ID: 11804356
What would be the best condition, in this case, to set the env. variable then?

Regards...
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 500 total points
ID: 11804875
if a client autheticates successfully with its cert, then you should see at least following variables:
  SSL_CLIENT_DN        <string>  DN in client's certificate
  SSL_CLIENT_<x509>  <string>  Component of client's DN
  SSL_CLIENT_I_DN  <string>  DN of issuer of client's certificate
  SSL_CLIENT_I_<x509>  <string>  Component of client's issuer's DN

you may use it like:

  SetEnvIf SSL_CLIENT !^\s*$ heureca_a_client_providing_a_cert
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As Wikipedia explains 'robots.txt' as -- the robot exclusion standard, also known as the Robots Exclusion Protocol or robots.txt protocol, is a convention to prevent cooperating web spiders and other web robots from accessing all or part of a websit…
Over the last year I have answered a couple of basic URL rewriting questions several times so I thought I might as well have a stab at: explaining the basics, providing a few useful links and consolidating some of the most common queries into a sing…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question