0

I need to password protect many pretty URLs in .htaccess via .htpasswd. But I want different user/login for each of the many protected pretty URLs (and a general login for pages not specifically protected).

So, for example, I'd like to protect:

With a specific user/password:

http://www.example.com/pretty/url

With another user/password:

http://www.example.com/pretty/link

With a generic user/password (all of the others)

http://www.example.com/pretty/generic
http://www.example.com/pretty/all
http://www.example.com/pretty/

I was trying to use the code from this answer, which I found the most fitting to my needs: 

# Do the regex check against the URI here, if match, set the "require_auth" var
SetEnvIf Request_URI ^/pretty/url require_auth=true

# Auth stuff
AuthUserFile /var/www/htpasswd
AuthName "Password Protected"
AuthType Basic

# Setup a deny/allow
Order Deny,Allow
# Deny from everyone
Deny from all
# except if either of these are satisfied
Satisfy any
# 1. a valid authenticated user
Require valid-user
# or 2. the "require_auth" var is NOT set
Allow from env=!require_auth

It works very well with a single pretty URL. But I wasn't able to find a way to adapt this to many URLs each of them with a different user via htpasswd.

Community
  • 1
  • 1
steps
  • 774
  • 2
  • 16
  • 38
  • It feels as if it would be much easier to handle this through some kind of authorization in your code instead. You will be able to set up a much more flexible system that's easier to manage. – purpleninja Mar 07 '16 at 13:54
  • This is not the solution you are looking for however it might be a solution to the problem: do you have the option of group the files in sub-directories based on the u/p stored in the .htpasswd? – David J Eddy Mar 07 '16 at 13:59
  • Unfortunatelly no @Pheagey, those are pretty URLs without associated physical path – steps Mar 07 '16 at 14:01
  • Agreed @purpleninja but the code is kind of inflexible right now – steps Mar 07 '16 at 14:01
  • @JoãoPauloApolinárioPassos You can't do this with basic HTTP authentication via apache since it requires a physical path to be protected. – apokryfos Mar 07 '16 at 14:06
  • @apokryfos but the solution works for pretty URLs with a single URL in the example I posted, even without a physical path to be protected, via `SetEnvIf Request_URI`. The problem is that I need many and a single password for each – steps Mar 07 '16 at 14:09
  • Change SetEnvIf Request_URI ... `require_auth=true` to `require_auth={user}` (depending on the URL), `Require valid-user` would then look something like `Require user {ENV:require_auth}` (not 100% of the syntax but the idea is that you have a specific user with a specific pass for a specific URL match) – apokryfos Mar 07 '16 at 14:17
  • @apokryfos It seems promissing however I can't find the right sintax to use a variable after `Require user` – steps Mar 07 '16 at 16:49
  • http://www.askapache.com/htaccess/setenvif.html implies that it should be `env=require_auth` – apokryfos Mar 07 '16 at 16:54
  • How do I make `SetEnvIf Request_URI ^/pretty/url` more generic, to contemplate also `/pretty/url/anythingAfter`? – steps Mar 07 '16 at 17:52
  • @apokryfos It wasn't working. I managed to do it with this code: `Require user %{ENV:require_auth}` – steps Mar 07 '16 at 17:57

1 Answers1

2

Just send the authentication header via php then the authentication window will pop up. In your code you can check then for different users and request uris. In this example it only checks for the user, but you can compare the REQUEST_URI or PARAMS too. It should only show you the concept.

<?php
    if (!isset($_SERVER['PHP_AUTH_USER'])) {
        header("WWW-Authenticate: Basic realm=\"Private Area\"");
        header("HTTP/1.0 401 Unauthorized");
        print "Sorry - you need valid credentials to be granted access!\n";
        exit;
    } else {
        if (preg_match('/^\/pretty\/url/', $_SERVER["REQUEST_URI"], $matches) && $_SERVER['PHP_AUTH_USER'] == 'paul') {
            print "Welcome to the private area!";
        } else {
            header("WWW-Authenticate: Basic realm=\"Private Area\"");
            header("HTTP/1.0 401 Unauthorized");
            print "Sorry - you need valid credentials to be granted access!\n";
            exit;
        }
    }
?>
Kordi
  • 2,405
  • 1
  • 14
  • 13