57

Is it possible to have an .htaccess/.htpasswd access control setup for a given directory, but if they are from a specific IP address, bypass the login/password authentication?

I know you can do something like this in the .htaccess file:

order deny,allow
deny from all
allow from 000.000.000.000

But if you add something along these lines:

AuthType Basic
AuthName "restricted area"
AuthUserFile /path/to/.htpasswd
require valid-user

Then it prompts for the password. Is there any way to do an if/else type setup, or some other solution so that users as a given IP (or set of IPs) don't get prompted for a password, but everyone else does?

Seybsen
  • 14,989
  • 4
  • 40
  • 73
Keefer
  • 2,269
  • 7
  • 33
  • 50

6 Answers6

91

For versions 2.2.X you can use the following...

AuthUserFile /var/www/mysite/.htpasswd
AuthName "Please Log In"
AuthType Basic
require valid-user
Order allow,deny
Allow from xxx.xxx.xxx.xxx
satisfy any

Obviously replace the path to your usersfile and the ip address which you would like to bypass the authentication.

Further explanation of the specifics, can be found at: http://httpd.apache.org/docs/2.2/howto/auth.html

j5Dev
  • 2,022
  • 14
  • 18
25

If you use apache >=2.4, it would be something like this:

<If "%{REMOTE_ADDR} != '127.0.0.1'">
  AuthType Basic
  AuthName "restricted area"
  AuthUserFile /path/to/.htpasswd
  require valid-user
</If>

For more info take a look at the docs.

Seybsen
  • 14,989
  • 4
  • 40
  • 73
17

I am running Apache/2.2.16 (Debian), and had a similar problem, I solved it like this:

(This can be run in both an .htaccess file or directly in the virtualhost under <Location/>)

Order deny,allow
Deny from all
AuthType Basic
AuthUserFile /home/somesite/.htpasswd
AuthName "No entry, unless"
Require Valid-user
Allow from x.x.x.x
Allow from x.x.x.x
Satisfy Any

I allowed entry without password from two different ip, and the rest must enter password to enter.

MrWhite
  • 43,179
  • 8
  • 60
  • 84
Sverre
  • 1,318
  • 13
  • 21
16

Apache 2.4 compatible:

AuthType Basic
AuthUserFile /www/.htpasswd
AuthName "Protected Area"

<RequireAny>
    Require ip 1.2.3.4
    Require valid-user
</RequireAny>

See the migration guide Upgrading to 2.4 from 2.2 for more examples.

DrDol
  • 2,220
  • 2
  • 19
  • 23
  • This one works best for me in apache 2.4.x and is a life saver, given that I've a lot of IPs to Require (about 60 ip ranges) o its a way better syntax than the one from NicoMinsk with the if/elseIf/else – Eric Mar 25 '20 at 15:36
7

If you use apache >=2.4, and you want to allow a set of IP, as asked in initial question, you can do it like this :

   <If "-R '192.168.0.0/24'">
            Require all granted
    </If>
    <ElseIf "-R '192.168.1.0/24'">
            Require all granted
    </ElseIf>
    <Else>
            AuthType Basic
            AuthName "restricted area"
            AuthUserFile /etc/apache2/.htpasswd
            require valid-user
    </Else>
NicoMinsk
  • 1,716
  • 6
  • 28
  • 53
2

In addition to the answer of j5Dev:

# Interne IP-Adressen
SetEnvIf Remote_Addr "^127\.0\.0\.1$" IsIntern
SetEnvIf Remote_Addr "^192\.168" IsIntern
# .. add more IP addresses or ranges here

# Authentication, wenn nicht intern
AuthUserFile /path/to/.htpasswd
AuthName "restricted area"
AuthType Basic
require valid-user
Order allow,deny
Allow from env=IsIntern
satisfy any
hollodotme
  • 21
  • 1
  • 1
    None of the answers on this page work for me with the "satisfy any" directive, which is probably pretty important :) Is there anything else that needs configuring? I am on Apache 2.2.22. – Charlie Schliesser Mar 29 '13 at 16:25