This code is useful for multi environment setups (staging, production, etc.) it allows you to keep your htaccess files in sync while maintaining an htpasswd on your development environment or anything but the live environment.
#allows a single uri through the .htaccess password protection
SetEnvIf Request_URI "/testing_uri$" test_uri
#allows everything if its on a certain host
SetEnvIf HOST "^testing.yoursite.com" testing_url
SetEnvIf HOST "^yoursite.com" live_url
Order Deny,Allow
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /path/to/your/.htpasswd
AuthGroupFile /
Require valid-user
#Allow valid-user
Deny from all
Allow from env=test_uri
Allow from env=testing_url
Allow from env=live_url
Satisfy any
I found your .htaccess setup to be pretty good, but I found it more useful to allow from all then deny from staging.
Below is the reverse of what your have in this article.
Keep up the great work!
#-- Staging Server Password -------------------------#
SetEnvIf Host yourstagingserver.com passreq
AuthType Basic
AuthName "Staging Server"
AuthUserFile /home/username/.htpasswd
AuthGroupFile /home/username/.htgroup
Require valid-user
Order allow,deny
Allow from all
Deny from env=passreq
Satisfy any
Thank you for the code above.
In addition, thank you Fugazer for the script above ! Worked like a charm.
Hi,
I am trying to do something similar, thought I’m not sure if it’s possible. I have an images directory on my server and I would like the images to be accessed only by one of my php pages, preventing hotlinking and direct access. For instance:
Directory:
http://www.mysite.com/images/
containing the files: 001.jpg / 002.jpg / etc
Page:
http://www.mysite.com/images.php?file=001
to view file 001.jpg
Any ideas of how should I configure my htaccess file?
PS: I don’t know if it’s important since you are using REQUEST_URI, but I have multiple domains on my server (ex. http://www.mysite.com and http://www.mysite.net)
Yep, thats exactly what I am searching for since sunday. hotlinking from one server only to only one single url.
@BRAULIO did you find a solution ??
May try if these suggestions works for you George
About midway through the page is a section about hotlinking images.
http://www.gwizit.com/articles/getout.php
Seemed to help my site from getting hotlinked any further.
I am going through the book digging into wordpress and I copied and pasted the index.php file to the root and made the adjustments accordingly … I then checked the settings in the admin dash …
I forgot to include the .htaccess file though … I looked for it … and didnt find it in the core files … so I made one with http://www.coffeecup.com s .htaccess software … but when I went to refresh the page … I kept getting a log in prompt just to view the home page … or make changes in the dash … how do I include the .htaccess without having to “log in” everysingle time?
Many thanks for this article.
My idea was to restrict access to all pages in my website, except for those pages of which the URL starts with “/admin”. Therefore, I modified the above example to the following:
Now, pages with “/admin…” URL’s are working fine without password, and other pages require authentication first. However, after having entered the password, I get an internal server error (500).
Could anyone please help me out here? :)
Many thanks! Keep up the good work…
This article was also really helpful for me – lots of examples similar to the above
http://perishablepress.com/enable-file-or-directory-access-to-your-htaccess-password-protected-site/
I went with Fugazer’s example but thanks for the article and help.
Really useful article thanks!
I’m IP filtering a site currently but I need to allow my RSS feeds to go through or rather not to be IPfiltered.
Is there a way I can create a rule in htaccess to filter all except feeds?
Thanks
Just something worth mentioning. If you use the example above but then are also doing rewriting everything to an index.php which is the case with some php frameworks the above does not work. Im not sure exactly why but I thought it worth mentioning.
Jeremy,
It does work with PHP frameworks that use .htaccess for URL rewrites. You just have to make sure this logic is above where you’re doing your rewriting for index.php.
For example, the following password protects a certain URL (/admin), but allows it work with out a password if it matches my local host name:
#allows a single uri through the .htaccess password protection
SetEnvIf Request_URI “/testing_uri$” test_uri
#allows everything if its on a certain host
SetEnvIf HOST “^testing.yoursite.com” testing_url
SetEnvIf HOST “^yoursite.com” live_url
Order Deny,Allow
AuthName “Restricted Area”
AuthType Basic
AuthUserFile /path/to/your/.htpasswd
AuthGroupFile /
Require valid-user
#Allow valid-user
Deny from all
Allow from env=test_uri
Allow from env=testing_url
Allow from env=live_url
Satisfy any
I’d like to protect a single page in my website (www.example.com/extranet/).
How can I use this snippet to fix this? Help would be very much appreciated.
I’m on Apache/2.4.27 (cPanel) by the way (not sure if that matters).
Helpful article, but on the version of Apache 2.4.x that my host uses (NearlyFreeSpeech),
Allow
is no longer a valid directive.In case this is helpful for others: I set up a site with SSL using Let’s Encrypt, and later switched the entire site to being protected by htpasswd. This of course caused the tlssetup cron job required by Let’s Encrypt (which accesses a .well-known directory on your site) to fail.
The quick fix for me was to create a .htaccess file inside the .well-known directory that just includes the line
Require all granted
. Now the whole site is protected, just excluding this directory.