Avatar of techbots
techbotsFlag for United States of America

asked on 

Allowing paypal to bypass password protection in .htaccess

I have a password protected ecommerce site. I am having difficulty with my .htaccess file allowing Paypal to send back the IPN. (I did learn that I needed the site to have SSL - so got that installed.)

Here is what I am using.

#allow access from paypal only
SetEnvIf Referer "^https://www\.paypal\.com" auth_referral
Order Allow,Deny
Deny from all

AuthType Basic
AuthName "FRBSF"
AuthUserFile "/path/to/my/.htpasswds/public_html/passwd"
Require valid-user
Allow from paypal.com
Allow from env=auth_referral
Satisfy any

Open in new window


I've tried dozens of combinations of code over the past 4 days and I end up with either the password protection not working and PayPal IPN working fine or vice versa. I need them both to work ASAP!

I've also tried using SetEnvIf HOST.

Thanks in advance!
Apache Web ServerE-CommerceWeb DevelopmentPayPal

Avatar of undefined
Last Comment
Steve Bink
Avatar of techbots
techbots
Flag of United States of America image

ASKER

I have also tried

SetEnvIf Request_URI "^/wc-api/WC_Gateway_Paypal/." auth_referral

since PayPal might not send back referrer info.
Avatar of Steve Bink
Steve Bink
Flag of United States of America image

Please verify your Apache version.

Have you tried turning on debug logging to find out how the requests are being handled?
Avatar of techbots
techbots
Flag of United States of America image

ASKER

How do I find the Apache version? (Site is hosted on HostGator).

I also just tried adding an .htaccess file to the Woocommerce plugin folder to allow all. That didn't work either.
Avatar of Steve Bink
Steve Bink
Flag of United States of America image

The Apache version information should be available somewhere in your account.  You can also try using phpinfo(), though it may be disallowed by your host.

Realistically, I'm not sure this is the route you want to go.  The referer is set by the user, so it can be manipulated by an attacker.  It is not a good idea to base your security on its value.  Using "Allow from" might be OK, but you'll need to find out the name/IP under which the request is being made.  It needs to be an exact match.

In any case, the whole strategy is a little wonky.  The Paypal system is not set up to log in via HTTP authentication, and authentication (and associated security) for e-commerce is generally done at the application level.  What circumstances imply using HTTP-based authentication is the way to go here?  In an ideal system, Paypal posts a form to an SSL form on your site, and you use that information to verify the transaction.
Avatar of techbots
techbots
Flag of United States of America image

ASKER

Apache version 2.2.29. The site uses SSL.

The first few lines in the access logs are:
 [30/Nov/2015:06:59:19 -0600] "POST /wc-api/WC_Gateway_Paypal/ HTTP/1.1" 401 - "-" "PayPal IPN ( https://www.paypal.com/ipn )"
173.0.81.1 - - [30/Nov/2015:07:00:18 -0600] "POST /wc-api/WC_Gateway_Paypal/ HTTP/1.1" 401 - "-" "PayPal IPN ( https://www.paypal.com/ipn )

Can I use a POST in the .htaccess? If so, would it be something like:

<Limit POST /wc-api/WC_Gateway_Paypal/ HTTP/1.1>
      Satisfy Any
</Limit>

The site is already live so I don't have an option to redo the whole way it works. But I do urgently need a way to get the payment info back to Woocommerce.
Avatar of Steve Bink
Steve Bink
Flag of United States of America image

Try removing the quotes from your regex:
SetEnvIf Referer "^https://www\.paypal\.com" auth_referral

Open in new window

You can also try SetEnvIfNoCase.  That may help the referer get picked up.

Still, that's a distant second in how you should approach this.  If you're set on this strategy, "Allow from" is the proper way to do it.  I've found a hint in the docs:
Hosts whose names match, or end in, this string are allowed access. Only complete components are matched, so the above example will match foo.apache.org but it will not match fooapache.org. This configuration will cause Apache to perform a double reverse DNS lookup on the client IP address, regardless of the setting of the HostnameLookups directive. It will do a reverse DNS lookup on the IP address to find the associated hostname, and then do a forward lookup on the hostname to assure that it matches the original IP address. Only if the forward and reverse DNS are consistent and the hostname matches will access be allowed.

The notes regarding DNS are important, since large organizations are likely to have multiple servers doing this type of work.  Try detecting via IP instead of hostname.
Avatar of techbots
techbots
Flag of United States of America image

ASKER

From my understanding, PayPal hides it's Referrer URL when communicating back to the site. IP addresses would be better, but there are many for PayPal and I can't find them anywhere.  I can only find the sandbox ones, but this is a live site. A reverse DNS lookup wouldn't give me all the possible IP addresses PayPal uses.
Avatar of Steve Bink
Steve Bink
Flag of United States of America image

>>> A reverse DNS lookup wouldn't give me all the possible IP addresses PayPal uses.

Which is why I maintain this is not the proper way to do this.  Again, what conditions exist that imply HTTP authentication is preferred for the entire site?  As an e-commerce site, don't you want people to buy things?

The better route here would be to disable authentication on the Paypal listener, at a minimum.  Your application should be verifying anything received through that endpoint, and Paypal will not log in anyways.  Perhaps use a second .htaccess file in the directory to disable authentication.  Otherwise, start building your list of IPs from the server's logs.  Anytime you find a denial to that URL, check if the IP belongs to Paypal, and if so, add it to the list.
Avatar of techbots
techbots
Flag of United States of America image

ASKER

I finally got a response from PayPal with the IPN IP addresses. So this is the code I am using now.

# password protection except for PayPal
AuthType Basic
AuthName "FRBSF"
AuthUserFile "/home4/w3ndy321/.htpasswds/public_html/frbsf/passwd"
Require valid-user

Allow from 64.4.248.8
Allow from 64.4.249.8
Allow from 173.0.84.40
Allow from 173.0.84.8
Allow from 173.0.88.40
Allow from 173.0.88.8
Allow from 173.0.92.8
Allow from 173.0.93.8

Open in new window


However this still isn't sending back the payment information.
Avatar of Steve Bink
Steve Bink
Flag of United States of America image

Try adding "Satisfy any", or removing the user-based authentication.
Avatar of techbots
techbots
Flag of United States of America image

ASKER

If I add "Satisfy Any", it takes off the password protection which I can't do. Also removing the valid user authentication isn't an option either since that is a requirement of the client that the site be password protected. This can't be the only online shop that uses PayPal that is password protected. Surely there is a way to make the two work together.
ASKER CERTIFIED SOLUTION
Avatar of Steve Bink
Steve Bink
Flag of United States of America image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of techbots
techbots
Flag of United States of America image

ASKER

I understand. However doing it this way was not my decision, or is it in my authority to change this. I will likely have to just tell the client that what they want, or rather the way they want it, cannot be done. At least I have explored it thoroughly. Thank you for your time.
Avatar of Steve Bink
Steve Bink
Flag of United States of America image

Was there more information you needed?  "Can't be done" is a valid answer, and does not merit a "B" grade.
Web Development
Web Development

Web development includes all aspects of presenting content on intranets and the Internet, including delivery development, protocols, languages and standards, server software, browser clients, databases and multimedia generation.

77K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo