1

I have this in my .htaccess to require a password but allow certain whitelisted IP addresses without authentication.

Order deny,allow
Deny from all
AuthType basic
AuthName "Admins Only"
AuthUserFile /etc/apache/.htpasswd
Require valid-user
#replace xxx with IP allowed
Allow from xxx.xxx.xxx.xxx
Satisfy any

Using Apache 2.2.16 on RedHat.

Two things are happening here:

  • It still asks the whitelisted addresses for password, and
  • when I visit the site on my Android device, I can see the website behind the auth popup, then when I cancel it, I can still browse the site.

Has anyone else experienced similar symptoms and have suggestions?

Note: When I remove the Deny, Allow, and Satisfy rules, the auth works as expected.

DWils
  • 390
  • 1
  • 4
  • 16

1 Answers1

2

Turns out the Satisfy any directive was being met in a couple other locations. Particularly in my apache httpd.conf file, and an .htaccess in a subfolder of the DocumentRoot.

If you're having similar issues with satisfy any, check any other possible locations where .htaccess may be called from and comment out any Order deny,allow and Allow from all statements. Using something along the lines of these commands helped me find the problems (in linux via ssh):

cd  /www/documentroot && find -name .htaccess

Or

grep -rli 'allow from all' .

(the 2nd command will search through files so it will take more time)

Or find it in your apache configuration files. Note that you shouldn't have to change the apache config if AllowOverride all is set for your vhost.

DWils
  • 390
  • 1
  • 4
  • 16