• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 497
  • Last Modified:

htaccess with password

Can .htaccess be set up so it denies users based on an IP address, but even those with a friendly IP address must still log-in with a username and password?

Here's what I have so far -- but it lets the friendly IP address in without requiring username and password.  I want all non-friendly IP's be shut out and friendly IP's to give me a user-name and password to enter.


AuthUserFile /path to my file/.htpasswd
AuthName "Protected Area"
AuthType Basic

<Limit GET POST>
satisfy any
order deny,allow
deny from all
allow from 63.163.57.50
require valid-user
</Limit>
0
marcparillo
Asked:
marcparillo
  • 4
  • 4
1 Solution
 
ahoffmannCommented:
<Limit GET POST>
satisfy any
order deny,allow
deny from all
require valid-user
</Limit>
<Location /path/to/be/protected>
satisfy any
order deny,allow
deny from all
allow from 63.163.57.50
</Location>
0
 
marcparilloAuthor Commented:
Thanks, but once I add the <Location> part of the script I get a "page cannot be displayed" error.

Also, am I limited to the number of "allow from" lines pointing to approved IP addresses?  I have 200 different IP's that are friendly for this particular site.
0
 
ahoffmannCommented:
> ..  I have 200 different IP's
you can use networks there, like
  allow from xx.yy.zz. localhost 42.42.42.42

> "page cannot be displayed" error.
please check your error_log for the detailed message and post here
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
marcparilloAuthor Commented:
Thanks for your assistance!  I've read a lot about .htaccess but apparently not enough to understand what I'm doing wrong.

I'm on a shared hosting plan and I don't think I have access to the error_log file.

Let's say I drop the log-in requirement and just limit it to friendly IP addresses... the .htaccess script below doesn't work for some reason.  Do you know what I could be doing wrong?

Also-- just for kicks-- I changed the .htaccess script to "deny from all" to see what happens and the
index page pops up but none of the supporting graphics or files appear on the home page.  I thought "deny from all" in .htaccess would protected all files from view -- even the index page.

Here's the IP address .htaccess script that doesn't work:

AuthUserFile /home/u5/path htpasswd file
AuthName "This Website is Secure"
AuthType Basic
<Limit GET POST>
satisfy any
order allow,deny
deny from all
allow from 63.163.57.20
allow from 63.163.57.36
allow from 63.163.57.50
allow from 12.103.215.198
allow from 12.105.100.5
allow from 12.11.136.202
allow from 12.145.165.144
allow from 12.145.224.168
allow from 12.148.41.5
allow from 12.160.72.254
allow from 12.160.79.254
allow from 12.179.97.102
allow from 12.179.97.125
allow from 12.179.97.45
allow from 12.179.97.53
allow from 12.179.97.57
</Limit>


0
 
ahoffmannCommented:
> AuthUserFile /home/u5/path htpasswd file
you don't have spaces in file nams, do you?

you should use:
  Satisfy all
  Require valid-user

see http://httpd.apache.org/docs/1.3/howto/auth.html
0
 
marcparilloAuthor Commented:
Thanks again!  Your comments are helping!

I didn't have any spaces -- but the .htaccess file started to work  as soon as I changed "satisfy all" to "Satisfy All" and "require valid-user" to "Require valid-user"

I just have a few more questions:

1. Just to make sure -- are .htaccess commands such as "Satisfy all" case-sensitive? I've read they are.
2. Is there a limit to how long my "allow from" list of IP addresses can be?  And are there any drawbacks to a long list.  I've read the server checks .htaccess files every time a new page is called, which would ultimately cause a slowdown on the server with such a long list, correct?
3. If apply .htaccess/.htpasswd to files in a sub-folder, does it over-ride the .htaccess/.htpasswd protection applied in a different folder -- or even the root folder?  I suppose, in theory, I could apply different .htaccess commands in each of my folders, all pointing to one .htpasswd file.

Again -- thanks for all your help.   That link to the Apache doc was also helpful!
0
 
ahoffmannCommented:
1. never tested myself, but thought they are not case-sensitive
2. yes, but that's hidden deep in the sources of the mod_auth module
> And are there any drawbacks to a long list.
probably performance and memory problems, I suggest that you use the db-method for that (see link above)
3. .htaccess is the root of the protection, hence on in a subdirectory defines the rules starting there and its sub directories
0
 
marcparilloAuthor Commented:
Thanks for your help!
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now