Solved

Can I allow one user access without login, but require login from all others?

Posted on 2004-08-13
8
445 Views
Last Modified: 2012-06-27
Hi all, I'm looking for a way through .htaccess that I can allow one user access to a directory without using username/password but require everyone else to have to login with username/password.

Would it be best to use SetEnvIf? And how?

Any suggestions would be appreciated.
0
Comment
Question by:ziffgone
  • 4
  • 3
8 Comments
 
LVL 9

Expert Comment

by:ronan_40060
ID: 11798053
Hi ziffgone
You could use Allow and deny

The Allow and Deny directives let you allow and deny access based on the host name, or host address, of the machine requesting a document. The Order directive goes hand-in-hand with these two, and tells Apache in which order to apply the filters.

The usage of these directives is:

Allow from address

where address is an IP address (or a partial IP address) or a fully qualified domain name (or a partial domain name); you may provide multiple addresses or domain names, if desired.

For example, if you have someone spamming your message board, and you want to keep them out, you could do the following:

Deny from 205.252.46.165

Visitors coming from that address will not be able to see the content covered by this directive. If, instead, you have a machine name, rather than an IP address, you can use that.

Deny from host.example.com

And, if you'd like to block access from an entire domain, you can specify just part of an address or domain name:

Deny from 192.101.205
Deny from cyberthugs.com moreidiots.com
Deny from ke

Using Order will let you be sure that you are actually restricting things to the group that you want to let in, by combining a Deny and an Allow directive:

Order deny,allow
Deny from all
Allow from dev.example.com

Listing just the Allow directive would not do what you want, because it will let folks from that host in, in addition to letting everyone in. What you want is to let only those folks in

------------------------------------------------------------------------------------------------------------------------------------------------
Allow Directive
Description:      Controls which hosts can access an area of the server
Syntax:      Allow from all|host|env=env-variable [host|env=env-variable] ...
Context:      directory, .htaccess
Override:      Limit
Status:      Base
Module:      mod_access

The Allow directive affects which hosts can access an area of the server. Access can be controlled by hostname, IP Address, IP Address range, or by other characteristics of the client request captured in environment variables.

The first argument to this directive is always from. The subsequent arguments can take three different forms. If Allow from all is specified, then all hosts are allowed access, subject to the configuration of the Deny and Order directives as discussed below. To allow only particular hosts or groups of hosts to access the server, the host can be specified in any of the following formats:

A (partial) domain-name
    Example:

    Allow from apache.org

    Hosts whose names match, or end in, this string are allowed access. Only complete components are matched, so the above example will match foo.apache.org but it will not match fooapache.org. This configuration will cause Apache to perform a double reverse DNS lookup on the client IP address, regardless of the setting of the HostnameLookups directive. It will do a reverse DNS lookup on the IP address to find the associated hostname, and then do a forward lookup on the hostname to assure that it matches the original IP address. Only if the forward and reverse DNS are consistent and the hostname matches will access be allowed.
A full IP address
    Example:

    Allow from 10.1.2.3

    An IP address of a host allowed access
A partial IP address
    Example:

    Allow from 10.1

    The first 1 to 3 bytes of an IP address, for subnet restriction.
A network/netmask pair
    Example:

    Allow from 10.1.0.0/255.255.0.0

    A network a.b.c.d, and a netmask w.x.y.z. For more fine-grained subnet restriction.
A network/nnn CIDR specification
    Example:

    Allow from 10.1.0.0/16

    Similar to the previous case, except the netmask consists of nnn high-order 1 bits.

Note that the last three examples above match exactly the same set of hosts.

IPv6 addresses and IPv6 subnets can be specified as shown below:

Allow from fe80::a00:20ff:fea7:ccea
Allow from fe80::a00:20ff:fea7:ccea/10

The third format of the arguments to the Allow directive allows access to the server to be controlled based on the existence of an environment variable. When Allow from env=env-variable is specified, then the request is allowed access if the environment variable env-variable exists. The server provides the ability to set environment variables in a flexible way based on characteristics of the client request using the directives provided by mod_setenvif. Therefore, this directive can be used to allow access based on such factors as the clients User-Agent (browser type), Referer, or other HTTP request header fields.
Example:

SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in
<Directory /docroot>
Order Deny,Allow
Deny from all
Allow from env=let_me_in
</Directory>

In this case, browsers with a user-agent string beginning with KnockKnock/2.0 will be allowed access, and all others will be denied.
Deny Directive
Description:      Controls which hosts are denied access to the server
Syntax:      Deny from all|host|env=env-variable [host|env=env-variable] ...
Context:      directory, .htaccess
Override:      Limit
Status:      Base
Module:      mod_access

This directive allows access to the server to be restricted based on hostname, IP address, or environment variables. The arguments for the Deny directive are identical to the arguments for the Allow directive.
Order Directive
Description:      Controls the default access state and the order in which Allow and Deny are evaluated.
Syntax:      Order ordering
Default:      Order Deny,Allow
Context:      directory, .htaccess
Override:      Limit
Status:      Base
Module:      mod_access

The Order directive controls the default access state and the order in which Allow and Deny directives are evaluated. Ordering is one of

Deny,Allow
    The Deny directives are evaluated before the Allow directives. Access is allowed by default. Any client which does not match a Deny directive or does match an Allow directive will be allowed access to the server.
Allow,Deny
    The Allow directives are evaluated before the Deny directives. Access is denied by default. Any client which does not match an Allow directive or does match a Deny directive will be denied access to the server.
Mutual-failure
    Only those hosts which appear on the Allow list and do not appear on the Deny list are granted access. This ordering has the same effect as Order Allow,Deny and is deprecated in favor of that configuration.

Keywords may only be separated by a comma; no whitespace is allowed between them. Note that in all cases every Allow and Deny statement is evaluated.

In the following example, all hosts in the apache.org domain are allowed access; all other hosts are denied access.

Order Deny,Allow
Deny from all
Allow from apache.org

In the next example, all hosts in the apache.org domain are allowed access, except for the hosts which are in the foo.apache.org subdomain, who are denied access. All hosts not in the apache.org domain are denied access because the default state is to deny access to the server.

Order Allow,Deny
Allow from apache.org
Deny from foo.apache.org

On the other hand, if the Order in the last example is changed to Deny,Allow, all hosts will be allowed access. This happens because, regardless of the actual ordering of the directives in the configuration file, the Allow from apache.org will be evaluated last and will override the Deny from foo.apache.org. All hosts not in the apache.org domain will also be allowed access because the default state will change to allow.

The presence of an Order directive can affect access to a part of the server even in the absence of accompanying Allow and Deny directives because of its effect on the default access state. For example,

<Directory /www>
Order Allow,Deny
</Directory>

will deny all access to the /www directory because the default access state will be set to deny.

The Order directive controls the order of access directive processing only within each phase of the server's configuration processing. This implies, for example, that an Allow or Deny directive occurring in a <Location> section will always be evaluated after an Allow or Deny directive occurring in a <Directory> section or .htaccess file, regardless of the setting of the Order directive. For details on the merging of configuration sections, see the documentation on How Directory, Location and Files sections work.


------------------------------------------------------------------------------------------------------------------------------------------------
Hope it helps
Good Luck
Ronan


 
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11799146
> .. can allow one user access ..
how do you (httpd) identify this user?
0
 
LVL 14

Author Comment

by:ziffgone
ID: 11800589
@ahoffmann

I was hoping either through the user's Ip Address, or, if that fails, through an env. variable? (We could probably also set it up to check referer instead, (probably easiest), and I can place a link from an Admin page to the directory). But I'm not sure how the evironment variable works. Can I have the user in question submit a for with a hidden value and give them access to the directory? So then their access to the directory would be a simple button click of the form submit.

I imagine we would have the .htaccess first check to see if the user arriving was the one who can enter, and if not, then ask for username and password.

Regards...
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11800798
>  the user's Ip Address,
not reliable 'cause it could be a proxy (or are you talking about LAN only?)

>  through an env. variable
that's exectly my question: what's the condition to set it?

>  to check referer
not reliable: can be set to whatever I like ;-)

>  with a hidden value
same problem as referer

> would have the .htaccess first check to see if the user arriving was the one who can enter
question again: how do you identify this user?

when using .htaccess you only have a user if (s)he identified before using basic auth or whatever.
Or you need some kind of session, which requires some programming on your server and a login (at least at very first time) by the user.
Common techniques to transport sessionIDs are cokkies or URL-rewriting, both have pros and cons.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 14

Author Comment

by:ziffgone
ID: 11803155
Ok, here's the senario, I have a case where certain directories can be accessed by the members of a site through login via .htaccess. The Administrator of the site would like to access the directories without logging in. Just a nuisance for him.

I was actually asking this question for another in a different channel, but he now doesn't want to fool around with the .htaccess files, (he's not familiar with and has a VERY limited knowledge regarding .htaccess and is afraid to go ahead with this, he has abandoned the idea). But, this brings me an opportunity to learn something new, so I will keep this question open for myself.

Regards...
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11803348
there is no way to distinguish *exactly one* user from *all* others without asking before,
henc there must be at least on point where the user (human) identifies himself (account)
Another way would be https with client certificates, then exactly one user (not realy true,
the browser providing the client cert) can be identified by the server.
0
 
LVL 14

Author Comment

by:ziffgone
ID: 11804356
What would be the best condition, in this case, to set the env. variable then?

Regards...
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 500 total points
ID: 11804875
if a client autheticates successfully with its cert, then you should see at least following variables:
  SSL_CLIENT_DN        <string>  DN in client's certificate
  SSL_CLIENT_<x509>  <string>  Component of client's DN
  SSL_CLIENT_I_DN  <string>  DN of issuer of client's certificate
  SSL_CLIENT_I_<x509>  <string>  Component of client's issuer's DN

you may use it like:

  SetEnvIf SSL_CLIENT !^\s*$ heureca_a_client_providing_a_cert
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
If you've heard about htaccess and it sounds like it does what you want, but you're not sure how it works... well, you're in the right place. Read on. Some Basics #1. It's a file and its filename is .htaccess (yes, with a dot in the front). #…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now