htaccess with password

Can .htaccess be set up so it denies users based on an IP address, but even those with a friendly IP address must still log-in with a username and password?

Here's what I have so far -- but it lets the friendly IP address in without requiring username and password.  I want all non-friendly IP's be shut out and friendly IP's to give me a user-name and password to enter.


AuthUserFile /path to my file/.htpasswd
AuthName "Protected Area"
AuthType Basic

<Limit GET POST>
satisfy any
order deny,allow
deny from all
allow from 63.163.57.50
require valid-user
</Limit>
LVL 3
marcparilloAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ahoffmannCommented:
<Limit GET POST>
satisfy any
order deny,allow
deny from all
require valid-user
</Limit>
<Location /path/to/be/protected>
satisfy any
order deny,allow
deny from all
allow from 63.163.57.50
</Location>
0
marcparilloAuthor Commented:
Thanks, but once I add the <Location> part of the script I get a "page cannot be displayed" error.

Also, am I limited to the number of "allow from" lines pointing to approved IP addresses?  I have 200 different IP's that are friendly for this particular site.
0
ahoffmannCommented:
> ..  I have 200 different IP's
you can use networks there, like
  allow from xx.yy.zz. localhost 42.42.42.42

> "page cannot be displayed" error.
please check your error_log for the detailed message and post here
0
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

marcparilloAuthor Commented:
Thanks for your assistance!  I've read a lot about .htaccess but apparently not enough to understand what I'm doing wrong.

I'm on a shared hosting plan and I don't think I have access to the error_log file.

Let's say I drop the log-in requirement and just limit it to friendly IP addresses... the .htaccess script below doesn't work for some reason.  Do you know what I could be doing wrong?

Also-- just for kicks-- I changed the .htaccess script to "deny from all" to see what happens and the
index page pops up but none of the supporting graphics or files appear on the home page.  I thought "deny from all" in .htaccess would protected all files from view -- even the index page.

Here's the IP address .htaccess script that doesn't work:

AuthUserFile /home/u5/path htpasswd file
AuthName "This Website is Secure"
AuthType Basic
<Limit GET POST>
satisfy any
order allow,deny
deny from all
allow from 63.163.57.20
allow from 63.163.57.36
allow from 63.163.57.50
allow from 12.103.215.198
allow from 12.105.100.5
allow from 12.11.136.202
allow from 12.145.165.144
allow from 12.145.224.168
allow from 12.148.41.5
allow from 12.160.72.254
allow from 12.160.79.254
allow from 12.179.97.102
allow from 12.179.97.125
allow from 12.179.97.45
allow from 12.179.97.53
allow from 12.179.97.57
</Limit>


0
ahoffmannCommented:
> AuthUserFile /home/u5/path htpasswd file
you don't have spaces in file nams, do you?

you should use:
  Satisfy all
  Require valid-user

see http://httpd.apache.org/docs/1.3/howto/auth.html
0
marcparilloAuthor Commented:
Thanks again!  Your comments are helping!

I didn't have any spaces -- but the .htaccess file started to work  as soon as I changed "satisfy all" to "Satisfy All" and "require valid-user" to "Require valid-user"

I just have a few more questions:

1. Just to make sure -- are .htaccess commands such as "Satisfy all" case-sensitive? I've read they are.
2. Is there a limit to how long my "allow from" list of IP addresses can be?  And are there any drawbacks to a long list.  I've read the server checks .htaccess files every time a new page is called, which would ultimately cause a slowdown on the server with such a long list, correct?
3. If apply .htaccess/.htpasswd to files in a sub-folder, does it over-ride the .htaccess/.htpasswd protection applied in a different folder -- or even the root folder?  I suppose, in theory, I could apply different .htaccess commands in each of my folders, all pointing to one .htpasswd file.

Again -- thanks for all your help.   That link to the Apache doc was also helpful!
0
ahoffmannCommented:
1. never tested myself, but thought they are not case-sensitive
2. yes, but that's hidden deep in the sources of the mod_auth module
> And are there any drawbacks to a long list.
probably performance and memory problems, I suggest that you use the db-method for that (see link above)
3. .htaccess is the root of the protection, hence on in a subdirectory defines the rules starting there and its sub directories
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
marcparilloAuthor Commented:
Thanks for your help!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.