.htaccess protect symlinked TYPO3 backend

Question

I'm trying to protect an older TYPO3 8.7 backend (/typo3) via an AuthType basic part in the normal TYPO3 .htaccess file. I always end up with internal server errors. Has anyone done this before ? Is it possible that this could not wor with the symlinks ?

I am puting this part of code on top of my .htaccess (before all the rwrite stuff starts):

    SetEnvIf Request_URI ^.*/typo3.* require_auth=true
    AuthType basic
    AuthName "Admin Schutz"
    AuthUserFile /usr/etc/.htpasswd
    #Order Deny,Allow
    #Deny from all
    #Satisfy any
    Require valid-user
    Allow from env=!require_auth

Thanks for any hints!

You should check your server logs and add the messages here for your Internal Server Error. — Mathias Brodala, Aug 11 '20 at 09:41

Naderio · Answer 1 · 2020-08-11T10:06:58.543

1

Should work with:

AuthType        basic
AuthName        "Secret area!"
AuthUserFile    /usr/etc/.htpasswd
require         valid-user
Order           deny,allow
Deny            from all
Satisfy         ANY

An internal server error is thrown, e.g. if your path to the AuthUserFile isn't correct.

Here i've written down my snippet for my personal public documentation: https://www.entwicklertools.de/snippet-sammlung/htaccess-snippets/passwortschutz-einrichten/

edited Aug 11 '20 at 10:06

answered Aug 11 '20 at 09:59

Naderio

1,306
11
26

"Order deny,allow" and "Deny from all" will not work in Apache >=2.4, unless you have the access_compat_module enabled. In any case, if you *know* you are using 2.4 or above, do not use the outdated directives. – Sybille Peters Aug 11 '20 at 18:26
See quote from official Apache HTTP server docs: "The Allow, Deny, and Order directives, provided by mod_access_compat, are deprecated and will go away in a future version. You should avoid using them, and avoid outdated tutorials recommending their use." https://httpd.apache.org/docs/2.4/howto/access.html – Sybille Peters Aug 11 '20 at 18:28

score 1 · Accepted Answer · answered Aug 11 '20 at 12:21

Assuming that your /usr/etc/.htpasswd file is accessible and valid (created properly with htpasswd command and chmoded to 644) your sample should work for Apache 2.2, but not in Apache 2.4 according to comments in this post. Literally in 2.4 it will work, but will require password also for your root domain.

There are two solutions. First is placing additional .htaccess files in your typo3 directory with simple rule, i.e. as shown by @Naderio:

AuthType        basic
AuthName        "Secret area!"
AuthUserFile    /usr/etc/.htpasswd
require         valid-user
Order           deny,allow
Deny            from all
Satisfy         ANY

However, if you created a typo3 symlink to sources as suggested in TYPO3's documentation and/or you don't want to require BasicAuth for all projects which uses the same sources, you can override these settings directly in VHOST configuration like (assuming that you have all your TYPO3 projects i.e. in /www/typo3/ folder:

<VirtualHost *:80>

    ServerAdmin your@email.tld
    DocumentRoot "/www/typo3/project-x.loc"
    ServerName project-x.loc

    # below your valid paths for log files...
    # ErrorLog "logs/project-x.loc-error_log"
    # CustomLog "logs/project-x.loc-access_log" common
    
    <Directory "/www/typo3/project-x.loc">
        Options Indexes FollowSymLinks ExecCGI Includes
        AllowOverride All
        Require all granted
    </Directory>
    
    <Directory "/www/typo3/project-x.loc/typo3">
        AuthType        basic
        AuthName        "Restricted in VHOST config!"
        AuthUserFile    /usr/etc/.htpasswd
        require         valid-user
        Order           deny,allow
        Deny            from all
        Satisfy         ANY
    </Directory>
    
</VirtualHost>

Note: I'd check anyway if the path you are trying to use /usr/etc/ is accessible for Apache at all, maybe it will be better moving your .htpasswd file somewhere closer to your www structure like to folder /www/etc/ and fix the above rules accordingly?

score 1 · Answer 3 · answered Aug 13 '20 at 06:16

1

Thanks to all replies.

finally we also did this in the vhost by the following code using the "location"-tag.

 <Location /typo3/>
            AuthType Basic
            AuthName "Enter Password"
            AuthUserFile /www_data/.htpasswd4xyz
            Require valid-user
    </Location>

answered Aug 13 '20 at 06:16

Stefan Müller

177
10

In this world there are always some places for improvements ;) Thanks for sharing. – biesior Aug 13 '20 at 09:57

score 0 · Answer 4 · answered Nov 19 '20 at 10:21

0

In case you can't edit the vhost config, this line shoud work istead of your SetEnvIf in your .htaccess, intoo:

SetEnvIfNoCase Request_URI ^/typo3/$ require_auth=true

answered Nov 19 '20 at 10:21

mtness

997
9
28

.htaccess protect symlinked TYPO3 backend

4 Answers4