29

Problem: I have some files under /var/www/files/ that I want them to be accessed from specific IP addresses WITHOUT requiring user/password. However, I would like that any other IP address SHOULD require login to gain access.

This is in my httpd.conf:

<Directory /var/www/files/>
        Order deny,allow
        Deny from all
        Allow from 192.168 
        AuthUserFile /etc/apache2/basic.pwd 
        AuthName "Please enter username and password" 
        AuthType Basic 
        Require user valid-user 
</Directory>

But, if I understood correctly, this means that any client coming from 192.168.* will have access to that directory BUT will require a valid-user to view its content. And any other IP address will be denied. right?

Thank you in advance.

lepe
  • 24,677
  • 9
  • 99
  • 108

5 Answers5

67

This is how it's done for Apache 2.4+ (since Satisfy Any is no longer supported).

<Directory /var/www/files/>

    AuthType Basic
    AuthName "Please enter your username and password"
    AuthUserFile /var/www/files/.htpasswd

    <RequireAny>
      Require ip 22.33.44.55
      Require valid-user
    </RequireAny>

</Directory>

If you want to require both IP address -and- Login/Password, change <RequireAny> to <RequireAll>

I hope this helps someone - as it took me a while to figure it out.

Brian Smith
  • 1,443
  • 5
  • 18
  • 24
  • Wow! This should be more popular. This was hard to find for an answer! I wonder if this is possible by Hostname rather than IP. – LUser Oct 08 '17 at 05:44
  • 1
    To use hostname instead of IP, use this format : Require host example.com – Brian Smith Oct 09 '17 at 07:45
  • for Apache 2.2.x, have a look at [here](https://stackoverflow.com/questions/10419592/htaccess-htpasswd-bypass-if-at-a-certain-ip-address) – The Anh Nguyen Aug 28 '19 at 08:21
  • I needed to add "Require all denied" before in order for this to deny all other users (think this substitutes the depreciated "Deny from all" ?) – Mr Chris Jun 23 '20 at 10:03
  • Wow. It's so clean! Thanks. (Note that if you want to allow an entire range of IP addresses, say... `Everyone in your office`, you can do it with `Require ip 22.33.44.0/255.255.255.0`. See: https://serverfault.com/a/682493/586831 – Eliezer Berlin Nov 21 '21 at 09:38
15

edit: this may be accepted answer, but old. For new Apache installs, use Brians answer here

Add this: Satisfy Any (which means either of those 2 should be passed).

And the syntax is either:

Require valid-user

Or:

Require user <userid>
Community
  • 1
  • 1
Wrikken
  • 69,272
  • 8
  • 97
  • 136
  • 2
    Thank you! That did it!. Here is the link for those who are interested: http://httpd.apache.org/docs/2.0/mod/core.html#satisfy – lepe Nov 05 '10 at 01:22
6

If your server is behind a proxy, you can't rely on the Require ip directly. However, you can use the Require env:

<Directory /var/www/files/>

    AuthType Basic
    AuthName "Please enter your username and password"
    AuthUserFile /var/www/files/.htpasswd

    SetEnvIF X-Forwarded-For "22.33.44.55" AllowIP

    <RequireAny>
      Require env AllowIP
      Require valid-user
    </RequireAny>

</Directory>

The source of the idea

fracz
  • 20,536
  • 18
  • 103
  • 149
4

At Apache 2.4+, if you also like to set a fixed username based on the IP block you could use AuthBasicFake directive together with runtime If directive.

This example with grant direct access to 22.33.44.55/32 and 66.77.88.99/32 and sets username demouser, all others must login.

<Location>
    AuthType Basic
    AuthName "Please enter your username and password"
    AuthUserFile /var/www/files/.htpasswd

    <If "-R '22.33.44.55/32' || -R '66.77.88.99/32'">
        AuthBasicFake demouser
        Require all granted
    </If>
    <Else>
        Require valid-user
    </Else>
</Location>
Rick van der Zwet
  • 941
  • 6
  • 7
3
SetEnvIF X-Forwarded-For "192.168.135.159" AllowIP
SetEnvIF X-Forwarded-For "192.168.135.135" AllowIP

AuthType Basic
AuthName "admin"
AuthUserFile "/var/www/domain.com/cms/.htpasswd"

<RequireAll>
Require env AllowIP
require valid-user
</RequireAll>

İ also checked many variants. this code üorks with 2.4 version of apache 100%

Seymur
  • 29
  • 2