Allow Single URL Through .htaccess Password Protection

This code is useful for multi environment setups (staging, production, etc.) it allows you to keep your htaccess files in sync while maintaining an htpasswd on your development environment or anything but the live environment.

#allows a single uri through the .htaccess password protection
SetEnvIf Request_URI "/testing_uri$" test_uri

#allows everything if its on a certain host
SetEnvIf HOST "^testing.yoursite.com" testing_url
SetEnvIf HOST "^yoursite.com" live_url
Order Deny,Allow

AuthName "Restricted Area"
AuthType Basic
AuthUserFile /path/to/your/.htpasswd
AuthGroupFile /
Require valid-user

#Allow valid-user
Deny from all
Allow from env=test_uri
Allow from env=testing_url
Allow from env=live_url
Satisfy any

Comments

  1. User Avatar
    Fugazer

    I found your .htaccess setup to be pretty good, but I found it more useful to allow from all then deny from staging.

    Below is the reverse of what your have in this article.

    Keep up the great work!


    #-- Staging Server Password -------------------------#
    SetEnvIf Host yourstagingserver.com passreq
    AuthType Basic
    AuthName "Staging Server"
    AuthUserFile /home/username/.htpasswd
    AuthGroupFile /home/username/.htgroup
    Require valid-user
    Order allow,deny
    Allow from all
    Deny from env=passreq
    Satisfy any

    • User Avatar
      pattikay
      Permalink to comment#

      Thank you for the code above.

      In addition, thank you Fugazer for the script above ! Worked like a charm.

  2. User Avatar
    Braulio
    Permalink to comment#

    Hi,
    I am trying to do something similar, thought I’m not sure if it’s possible. I have an images directory on my server and I would like the images to be accessed only by one of my php pages, preventing hotlinking and direct access. For instance:

    Directory:
    http://www.mysite.com/images/
    containing the files: 001.jpg / 002.jpg / etc

    Page:
    http://www.mysite.com/images.php?file=001
    to view file 001.jpg

    Any ideas of how should I configure my htaccess file?
    PS: I don’t know if it’s important since you are using REQUEST_URI, but I have multiple domains on my server (ex. http://www.mysite.com and http://www.mysite.net)

  3. User Avatar
    George
    Permalink to comment#

    Yep, thats exactly what I am searching for since sunday. hotlinking from one server only to only one single url.
    @BRAULIO did you find a solution ??

  4. User Avatar
    NobodyCares
    Permalink to comment#

    May try if these suggestions works for you George

    About midway through the page is a section about hotlinking images.

    http://www.gwizit.com/articles/getout.php

    Seemed to help my site from getting hotlinked any further.

  5. User Avatar
    Nathaniel
    Permalink to comment#

    I am going through the book digging into wordpress and I copied and pasted the index.php file to the root and made the adjustments accordingly … I then checked the settings in the admin dash …

    I forgot to include the .htaccess file though … I looked for it … and didnt find it in the core files … so I made one with http://www.coffeecup.com s .htaccess software … but when I went to refresh the page … I kept getting a log in prompt just to view the home page … or make changes in the dash … how do I include the .htaccess without having to “log in” everysingle time?

  6. User Avatar
    Tom

    Many thanks for this article.

    My idea was to restrict access to all pages in my website, except for those pages of which the URL starts with “/admin”. Therefore, I modified the above example to the following:

    
    # We set some variables, matching URL's for which we do not wish to active
    # the password protection
    SetEnvIf Request_URI "^/admin.*$" AdminUri
    
    # Setup the password protection
    AuthName "Theo - Password protected"
    AuthType Basic
    AuthUserFile ./.htpasswd
    Require valid-user
    
    # Add the exceptions for matched URL's
    Order Deny,Allow
    Deny from all
    Allow from env=AdminUri
    Satisfy any
    

    Now, pages with “/admin…” URL’s are working fine without password, and other pages require authentication first. However, after having entered the password, I get an internal server error (500).

    Could anyone please help me out here? :)

    Many thanks! Keep up the good work…

  7. User Avatar
    megasteve4
    Permalink to comment#

    This article was also really helpful for me – lots of examples similar to the above
    http://perishablepress.com/enable-file-or-directory-access-to-your-htaccess-password-protected-site/

  8. User Avatar
    Jeff
    Permalink to comment#

    I went with Fugazer’s example but thanks for the article and help.

  9. User Avatar
    Marc
    Permalink to comment#

    Really useful article thanks!
    I’m IP filtering a site currently but I need to allow my RSS feeds to go through or rather not to be IPfiltered.
    Is there a way I can create a rule in htaccess to filter all except feeds?

    Thanks

  10. User Avatar
    Jeremy Quinton
    Permalink to comment#

    Just something worth mentioning. If you use the example above but then are also doing rewriting everything to an index.php which is the case with some php frameworks the above does not work. Im not sure exactly why but I thought it worth mentioning.

    • User Avatar
      Francis Villanueva
      Permalink to comment#

      Jeremy,

      It does work with PHP frameworks that use .htaccess for URL rewrites. You just have to make sure this logic is above where you’re doing your rewriting for index.php.

      For example, the following password protects a certain URL (/admin), but allows it work with out a password if it matches my local host name:

      SetEnvIf Request_URI ^/admin$ PROTECTED_HOST
      SetEnvIf HOST ^local\.mywebsite\.com\.?(:80)?$ ALLOWED_HOST
      
      # Auth stuff
      AuthName "My website Admin"
      AuthType Basic
      AuthUserFile /path/to/.htpasswd
      AuthGroupFile /dev/null
      Require valid-user
      
      #Allow valid-user
      Order Deny,Allow
      Deny from all
      Satisfy any
      Allow from env=!PROTECTED_HOST
      Allow from env=ALLOWED_HOST
      
      
      <IfModule mod_rewrite.c>
          <IfModule mod_negotiation.c>
              Options -MultiViews
          </IfModule>
      
          RewriteEngine On
      
          # Redirect Trailing Slashes...
          RewriteCond %{REQUEST_FILENAME} !-d
          RewriteCond %{REQUEST_FILENAME} !-f
          RewriteRule ^(.*)/$ /$1 [L,R=301]
      
          # Handle Front Controller...
          RewriteCond %{REQUEST_FILENAME} !-d
          RewriteCond %{REQUEST_FILENAME} !-f
          RewriteRule ^ index.php [L]
      </IfModule>
      
  11. User Avatar
    sahil
    Permalink to comment#

    #allows a single uri through the .htaccess password protection
    SetEnvIf Request_URI “/testing_uri$” test_uri

    #allows everything if its on a certain host
    SetEnvIf HOST “^testing.yoursite.com” testing_url
    SetEnvIf HOST “^yoursite.com” live_url
    Order Deny,Allow

    AuthName “Restricted Area”
    AuthType Basic
    AuthUserFile /path/to/your/.htpasswd
    AuthGroupFile /
    Require valid-user

    #Allow valid-user
    Deny from all
    Allow from env=test_uri
    Allow from env=testing_url
    Allow from env=live_url
    Satisfy any

Posting Code

You may write comments in Markdown. This makes code easy to post, as you can write inline code like `<div>this</div>` or multiline blocks of code in triple backtick fences (```) with double new lines before and after.

Code of Conduct

Absolutely anyone is welcome to submit a comment here. But not all comments will be posted. Think of it like writing a letter to the editor. All submitted comments will be read, but not all published. Published comments will be on-topic, helpful, and further the discussion or debate.

Want to tell us something privately?

Feel free to use our contact form. That's a great place to let us know about typos or anything off-topic.

Submit a Comment

icon-closeicon-emailicon-linkicon-menuicon-searchicon-tag