Bypass .htaccess authorization for specific URI including query strings

Asked
Active3 hr before
Viewed126 times

10 Answers

specificbypasshtaccessauthorization
90%

Meta Stack Overflow , Stack Overflow Public questions & answers , Stack Overflow help chat ,I have a PHP web app that loads based on various query strings. I need the app to require authentication UNLESS a specific query string is passed.

RewriteEngine On
SetEnvIf Request_URI ".*" allow=0
RewriteCond %{QUERY_STRING} ^(?:.*[&?])?Setting1=true&Setting2=true$
RewriteRule ^ - [E=allow:1]
RewriteCond %{QUERY_STRING} ^(?:.*[&?])?Setting2=true&Setting1=true$
RewriteRule ^ - [E=allow:1]
<If "%{ENV:allow} == '0'">
        AuthUserFile /home/path/.htpasswd
        AuthType Basic
        AuthName "Restricted Access"
        Require user valid-user
</If>
88%

I have a PHP web application that loads based on various query strings. I need the application to require authentication IF no query string is passed.,I'm close to wanting to use SetEnvIf Request_URI, but I'm not sure how to include query strings in Request_URI.,However, if the url is example.com/app/?Setting1=true&Setting2=true I want to bypass authentication, SetEnvIf does not support a query string parameter. Please refer to the link below.

I'm close to wanting to use SetEnvIf Request_URI, but I'm not sure how to include query strings in Request_URI.

SetEnvIf Request_URI "(/app/test)$"
allow

Order Deny, Allow

AuthType Basic
AuthName "Restricted Area"
AuthUserFile / home / path / .htpasswd
AuthGroupFile / dev / null

#Allow valid - user
Deny from all
Allow from env = allow
Satisfy any

   (adsbygoogle = window.adsbygoogle || []).push({});

I need something like this:

SetEnvIf Request_URI "(/app/?Setting1=true&Setting2=true)$"
allow

Order Deny, Allow

AuthType Basic
AuthName "Restricted Area"
AuthUserFile / home / path / .htpasswd
AuthGroupFile / dev / null

#Allow valid - user
Deny from all
Allow from env = allow
Satisfy any

   (adsbygoogle = window.adsbygoogle || []).push({});
load more v
72%

Rewriting For Certain Query Strings,Modifying the Query String,Adding to the Query String,Removing the Query String

Redirect Everyone Except IP address to alternate page

ErrorDocument 403 http: //www.yahoo.com/
   Order deny, allow
Deny from all
Allow from 208.113 .134 .190
load more v
65%

Just add a .htaccess file at the root of your drupal installation that includes these lines:,Drupal 6.10 installed in the root of mydomain.com. Clean URLs enabled and using the third party pathauto module.,For users who have Drupal 6.x installed in the root directory of the domain, do the following:,Edit Drupals .htaccess file and change the DirectoryIndex line to read:

The trick is to modify .htaccess to ignore specific files/folders. So for example, if you have two folders, <folder1> and <folder2> in the root of your Drupal installation, modify your .htaccess file by inserting the following code directly after the "RewriteEngine on" directive, before the Drupal rewrites:

=========[ start of .htaccess snippet]==========
<IfModule mod_rewrite.c>
  RewriteEngine on
  #
  # stuff to let through (ignore)
  RewriteCond %{REQUEST_URI} "/folder1/" [OR]
  RewriteCond %{REQUEST_URI} "/folder2/"
  RewriteRule (.*) $1 [L]
  #
====================[ end ]=====================

However if you are working with Apache Alias or similar directives the file doesn't actually exist so drupal will take over like it should. The best way around it is to just add one more conditional that matches your location and make it skip it too. Thats what the ! means. Please see below:

RewriteCond % {
   REQUEST_URI
}! ^ /yourDirectoryName
RewriteCond % {
   REQUEST_FILENAME
}!-f
RewriteCond % {
   REQUEST_FILENAME
}!-d
RewriteRule ^ (.*) $ index.php ? q = $1[L, QSA]

Edit Drupals .htaccess file and change the DirectoryIndex line to read:

DirectoryIndex index.php index.html index.htm

Create a new .htaccess file in the target folder, eg folder1/.htaccess
Add the lines

DirectoryIndex index.php index.html index.htm
Options + Indexes
load more v
75%

PHP uses the presence of an AuthType directive to determine whether external authentication is in effect. , Instead of simply printing out PHP_AUTH_USER and PHP_AUTH_PW, as done in the above example, you may want to check the username and password for validity. Perhaps by sending a query to a database, or by looking up the user in a dbm file. ,Example #3 HTTP Authentication example forcing a new name/password, Note, however, that the above does not prevent someone who controls a non-authenticated URL from stealing passwords from authenticated URLs on the same server.

HTTP authentication with PHP

It is possible to use the header() function to send an "Authentication Required" message to the client browser causing it to pop up a Username/Password input window. Once the user has filled in a username and a password, the URL containing the PHP script will be called again with the predefined variables PHP_AUTH_USER, PHP_AUTH_PW, and AUTH_TYPE set to the user name, password and authentication type respectively. These predefined variables are found in the $_SERVER array. Only "Basic" and "Digest" authentication methods are supported. See the header() function for more information.

"Authentication Required"
load more v
40%

Using normalize_url from URI::Normalize which is not in distros but easily embeddable.,We could also make Nginx normalize the URL, with something like this:,I have also successfully tested this in a reverse proxy configuration, which is a very common, if not the most common use case. I have also tested this without the "skip" keyword, in such a cas, a normal user may be granted access to admin-only resources.,Nginx transmits the original URL in a X_ORIGINAL_URL header. We could use this fact to trigger special processing in the handler:

  • Content of test vhost:
# cat /
   var / lib / lemonldap - ng / test / admin
SECRET ADMIN FILE
load more v
22%

Returns the normalized URL from the redirect query string value if it is present and for the same domain the current app is running on. Before 3.4.0, the Auth.redirect session value was used.,In the above example, both the Actions and Controller will get the settings defined for the ‘all’ key. Any settings passed to a specific authorization object will override the matching key in the ‘all’ key.,If there is no query string/session value and there is a config with loginRedirect, the loginRedirect value is returned.,If there is no redirect value and no loginRedirect, / is returned.

// Simple setup
$this - > Auth - > config('authenticate', ['Form']);

// Pass settings in
$this - > Auth - > config('authenticate', [
   'Basic' => ['userModel' => 'Members'],
   'Form' => ['userModel' => 'Members']
]);
load more v
60%

The first line enables the rewrite engine. The second line provides a test that returns true if the HTTP_USER_AGENT string starts with the letters Web crawler. If the second line is true, then the third line takes any URL string and returns a forbidden message to the client. ,This directive is required when you use a relative path in a substitution in per-directory (htaccess) context unless either of the following conditions are true:,In the above example, a request to /xyz/old.html is correctly rewritten to the physical file /ABC/def/new.html. ,RewriteMap expansions: These are expansions of the form. ${mapname:key|default} See RewriteMap for more details.

RewriteEngine on
RewriteCond % {
   HTTP_USER_AGENT
} ^ Webcrawler
RewriteRule ^ .*$ - [F, L]
load more v
48%

As with any character that is not permitted in any one part of the URL (because it may have special meaning), it must be URL-encoded (percent-encoded) as % followed by the two digit hex code for that character.,RFC 3986 defines what characters are permitted (unencoded) in the userinfo part of the URL:,So, everything else must be percent-encoded, including : and % - if they are part of the user or password parts (in order to negate there special meaning).,But those aren't the only two characters that may need URL encoding. You should be passing the value through a URL-encode function in your script to correctly URL encode that part of the URL.

I assume you must be referring to the userinfo part of the URL in which the user credentials are passed, not "URL parameters" (which are part of the query-string):

https://<userinfo>@example.com/foo?<query-string>
userinfo = * (unreserved / pct - encoded / sub - delims / ":")
unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
pct - encoded = "%"
HEXDIG HEXDIG
sub - delims = "!" / "$" / "&" / "'" / "(" / ")"
userinfo    = *( unreserved / pct-encoded / sub-delims / ":" )
unreserved  = ALPHA / DIGIT / "-" / "." / "_" / "~"
pct-encoded = "%" HEXDIG HEXDIG
sub-delims  = "!" / "$" / "&" / "'" / "(" / ")"
              / "*" /
              "+" / "," / ";" / "="
load more v
23%

Those that are special to mod_rewrite include those below., The filesystem path to the directory containing the RewriteRule, suffixed by the relative substitution is also valid as a URL path on the server (this is rare).,mod_rewrite operates on the full URL path, including the path-info section. A rewrite rule can be invoked in httpd.conf or in .htaccess. The path generated by a rewrite rule can include a query string, or can lead to internal sub-processing, external request redirection, or internal proxy throughput.,back-references ($N) to the RewriteRule pattern

Example

      LogLevel alert rewrite: trace3
load more v

Other "specific-bypass" queries related to "Bypass .htaccess authorization for specific URI including query strings"