1

i have two .htaccess setup,

One in the htdocs Main Folder with a .htpasswd file attached

thats what it looks like rn

ErrorDocument 404 /index.html
AuthName "Protected Area" 
AuthType Basic 
AuthUserFile C:\xampp\htpwdfolder\.htpasswd 
require valid-user



DirectoryIndex index.html

Second in a Sub Folder looks like this:

order deny,allow
allow on all




Options All -Indexes

And what i get is a Internal Server Error when pointing to a direct file path

I also tried it like this:

<RequireAny>
Require ip IP1
Require ip IP2
Require ip IP3
</Require Any>

instead of

order deny,allow
deny from all
allow from IP1
allow from IP2
allow from IP3

But that didn't change anything

Does anyone have an idea?

As soon as i use the order deny,allow rule i get a internal server error in that specific path

ProjectBitcoinEgal
  • 11
  • 1

1 Answers1

0

When you get an Internal Server Error (500 response) you need to check your server's error log for the details of that error. With regards to .htaccess, 500 errors are commonly caused by syntax errors and internal rewrite loops (when using mod_rewrite).

order deny,allow
allow on all

This is a syntax error. It should be Allow from all, not on. But these won't override the HTTP authentication declared in the parent directory without an additional Satisfy Any directive:

Order deny,allow
Allow from all
Satisfy Any

However, these are (deprecated) Apache 2.2 directives. You should be using the following instead on Apache 2.4, which overrides the parent config by default:

Require all granted

<RequireAny>
Require ip IP1
Require ip IP2
Require ip IP3
</Require Any>

You have another syntax error in the closing directive tag. ie. It should be </RequireAny> - no space. I assume IP1 etc. are valid IP addresses, otherwise this will also result in a 500 error.

Note that the <RequireAny> wrapper is not strictly required here, since this is the default.

This will work to override the parent HTTP authentication for the subdirectory. However, it completely overrides the parent config. If the requesting IP address is not one of those stated then you'll get a 403 Forbidden response and no prompt to enter a password.

If you want to fallback to asking for a password then you'll need to include an additional directive to merge the directives with the parent config. ie. AuthMerging Or.

For example:

AuthMerging Or
Require ip 203.0.113.111
#Require ip IP2
#Require ip IP3

Now, if the request is from a different IP address then they will be prompted for a password (401 Unauthorised), rather than being completely blocked with a 403 Forbidden.

order deny,allow
deny from all
allow from IP1
allow from IP2
allow from IP3

As mentioned above, you would need an additional Satisfy Any directive in order to override the HTTP authentication defined in the parent config. However, as noted already, these are (deprecated) Apache 2.2 directives. You should be using the Apache 2.4 Require ip ... directives instead.

MrWhite
  • 12,647
  • 4
  • 29
  • 41