Apache restrict access unless from localhost

Question

The below code is in .htaccess file in /home/cuddle/test/

AuthUserFile "/home/cuddle/.htpasswds/test/passwd"
AuthType Basic
AuthName "Secure Area"
Require valid-user

This works fine, it will prompt for username & password, however when I add another rule to allow internal requests:

Allow from 127.0.0.1
Satisfy Any

It no longer prompts for password for outside users (non localhost) and seems to let all users through, no matter if they validate or what IP they are from. There are no other permissions/allow/deny present within .htaccess

score 4 · Answer 1 · answered Jun 26 '12 at 10:28

Try this:

AuthUserFile "/home/cuddle/.htpasswds/test/passwd"
AuthType Basic
AuthName "Secure Area"
Require valid-user
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from ::1
Satisfy Any

I just signed up to StackOverflow because I stumbled to same problem, and after trial-and-error, the config above worked for me.

score 1 · Answer 2 · answered Nov 04 '16 at 21:48

1

Simpler solution:

AuthUserFile "/home/cuddle/.htpasswds/test/passwd"
AuthType Basic
AuthName "Secure Area"
Require valid-user
Require local
Satisfy Any

answered Nov 04 '16 at 21:48

Leo

10,407
3
45
62

Apache restrict access unless from localhost

2 Answers2