Password protect a specific URL

.htaccess password-protection

The site is on shared hosting. I need to password protect a single URL.

http://www.example.com/pretty/url

Obviously that's not a physical file path I'm trying to protect, it's just that particular URL.

Any quick solution with .htaccess?


Solution 1:

You should be able to do this using the combination of mod_env and the Satisfy any directive. You can use SetEnvIf to check against the Request_URI, even if it's not a physical path. You can then check if the variable is set in an Allow statement. So either you need to log in with password, or the Allow lets you in without password:

# Do the regex check against the URI here, if match, set the "require_auth" var
SetEnvIf Request_URI ^/pretty/url require_auth=true

# Auth stuff
AuthUserFile /var/www/htpasswd
AuthName "Password Protected"
AuthType Basic

# Setup a deny/allow
Order Deny,Allow
# Deny from everyone
Deny from all
# except if either of these are satisfied
Satisfy any
# 1. a valid authenticated user
Require valid-user
# or 2. the "require_auth" var is NOT set
Allow from env=!require_auth

Solution 2:

You can use <LocationMatch> or simply <Location> inside your <VirtualHost> directive to do this (assuming you have access to your httpd.conf / vhost.conf - alternatively you could put something similar in a .htaccess in your document root if you have to configure your site that way).

For example:

<VirtualHost *:80>
  ServerName www.example.com
  DocumentRoot /var/www/blabla
  # Other usual vhost configuration here
  <Location /pretty/url>
    AuthUserFile /path/to/.htpasswd
    AuthGroupFile /dev/null
    AuthName "Password Protected"
    AuthType Basic
    require valid-user
  </Location>
</VirtualHost>

You might find <LocationMatch> more useful if you want to match a regular expression against your pretty URL. The documentation is here.

Solution 3:

Since Rick stated in a comment that no answer in this question works, here is the snippet I use:

AuthName "Protected Area"
AuthType Basic
AuthUserFile /path/to/your/.htpasswd
AuthGroupFile /dev/null

SetEnvIf Request_URI .* noauth
SetEnvIf Request_URI the_uri_you_want_to_protect !noauth
SetEnvIf Request_URI another_uri !noauth
SetEnvIf Request_URI add_as_many_as_you_want !noauth

<RequireAny>
  Require env noauth
  Require valid-user
</RequireAny>

If you need support for Apache 2.2 AND Apache 2.4 (apparently there are setups where both versions run in parallel...):

AuthName "Protected Area"
AuthType Basic
AuthUserFile /path/to/your/.htpasswd
AuthGroupFile /dev/null

SetEnvIf Request_URI .* noauth
SetEnvIf Request_URI the_uri_you_want_to_protect !noauth
SetEnvIf Request_URI another_uri !noauth
SetEnvIf Request_URI add_as_many_as_you_want !noauth

<IfModule mod_authz_core.c>
    <RequireAny>
        Require env noauth
        Require valid-user
    </RequireAny>
</IfModule>

<IfModule !mod_authz_core.c>
    Order Deny,Allow
    Deny from all
    Satisfy any
    Require valid-user
    Allow from env=noauth
</IfModule>

The code for Apache 2.2 is taken from Jon Lin.

Related

find the only unpaired element in the array
How do I get background image size in jQuery?
How do I test if a variable does not equal either of two values?
How does this "size of array" template function work? [duplicate]
Twitter Bootstrap 3, vertically center content [duplicate]
Is it possible to output a SELECT statement from a PL/SQL block?
What is the size of void?
R on MacOS Error: vector memory exhausted (limit reached?)
How to use split?
How do I escape ampersands in batch files?
How to send a SMS using SMSmanager in Dual SIM mobile?
How can I automatically filter out soft deleted entities with Entity Framework?