I'm trying to password protect a specific url using a .htaccess. Different urls point to the same files but have different workings. I now need to password protect only one url. I'm trying to do this using setenvif but it doesn't seem to work. I might not fully understand the purpose or use of the apache setenv module.
This is my code what doesn't seem to work
SetEnvIfNoCase Host "topasswordprotect\.domain\.com$" protecturl
<IfDefine protecturl>
Require valid-user
AuthName "Please enter your name and password"
AuthType Basic
AuthUserFile .htpasswd
</IfDefine>
I finally figured it out. I indeed had to use the mod_rewrite engine. I was determined to have a solution which didn't involve me having to make extra files or directories.
Same files, no extra directories, one .htaccess:
# Case we are in the protected area!
RewriteCond %{REQUEST_FILENAME} index.php [OR]
RewriteCond %{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_URI} ^(\/){1}$
RewriteCond %{REQUEST_FILENAME} !-d [OR]
RewriteCond %{REQUEST_URI} ^(\/){1}$
RewriteCond %{HTTP_HOST} ^(protected)\.mydomain\.com$
RewriteRule ^(.*)$ admin.php%{REQUEST_URI} [L]
#default rewrite
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php/$1 [L]
#only protect access to admin.php which is a symlink to index.php
<FilesMatch "admin.php">
AuthUserFile .htpasswd
AuthName EnterPassword
AuthType Basic
require valid-user
</FilesMatch>
Well, this can actually be achieved without mod_rewrite and with SetEnvIf
.
I needed it for dev site to test how Facebook OpenGraph tags work.
# allow facebook external hit
SetEnvIf user-agent "facebookexternalhit/1.1" allowthis
# disallow some other stuff
SetEnvIfNoCase Host "topasswordprotect\.domain\.com$" !allowthis
AuthType Basic
AuthName "dev access"
AuthUserFile .htpasswd
Require valid-user
Allow from allowthis=1
Satisfy Any
The IfDefine
works on defines which are not same as environment variables.
A quote from apache docs:
The parameter-name argument is a define as given on the httpd command line via -Dparameter- , at the time the server was started.
Might not be directly possible directly but could you have another password protected directory which has the original directory linked into it? You could the use mod_rewrite to redirect the matching requests to password protected directory.
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www.myhost.tld$
RewriteRule ^/foo/(.*)$ /bar/linkeddir/$1