.htaccess / .htpasswd bypass if at a certain IP address

Question

Is it possible to have an .htaccess/.htpasswd access control setup for a given directory, but if they are from a specific IP address, bypass the login/password authentication?

I know you can do something like this in the .htaccess file:

order deny,allow
deny from all
allow from 000.000.000.000

But if you add something along these lines:

AuthType Basic
AuthName "restricted area"
AuthUserFile /path/to/.htpasswd
require valid-user

Then it prompts for the password. Is there any way to do an if/else type setup, or some other solution so that users as a given IP (or set of IPs) don't get prompted for a password, but everyone else does?

Which apache version are you running?

Seybsen
– Seybsen

2012-05-02 18:33:13 +00:00
Commented May 2, 2012 at 18:33 — Seybsen
– Seybsen, Commented May 2, 2012 at 18:33
Anyone have any solutions for Apache 2.2.x?

Keefer
– Keefer

2012-05-03 13:44:16 +00:00
Commented May 3, 2012 at 13:44 — Keefer
– Keefer, Commented May 3, 2012 at 13:44

j5Dev · Accepted Answer · 2012-05-14 13:36:14Z

93

For versions 2.2.X you can use the following...

AuthUserFile /var/www/mysite/.htpasswd
AuthName "Please Log In"
AuthType Basic
require valid-user
Order allow,deny
Allow from xxx.xxx.xxx.xxx
satisfy any

Obviously replace the path to your usersfile and the ip address which you would like to bypass the authentication.

Further explanation of the specifics, can be found at: http://httpd.apache.org/docs/2.2/howto/auth.html

edited May 14, 2012 at 13:36

answered May 14, 2012 at 13:29

j5Dev

2,04214 silver badges18 bronze badges

Sign up to request clarification or add additional context in comments.

Comments

Seybsen · Accepted Answer · 2014-12-22 15:40:26Z

26

If you use apache >=2.4, it would be something like this:

<If "%{REMOTE_ADDR} != '127.0.0.1'">
  AuthType Basic
  AuthName "restricted area"
  AuthUserFile /path/to/.htpasswd
  require valid-user
</If>

For more info take a look at the docs.

edited Dec 22, 2014 at 15:40

answered May 2, 2012 at 18:41

Seybsen

15.6k4 gold badges45 silver badges76 bronze badges

3 Comments

Keefer Over a year ago

Unfortunately, looks like the server is running Apache 2.2.19

user4457363 Over a year ago

Works perfectly for me (Apache/2.4.10 (Debian)). Thanks !

mivk Over a year ago

You can also use network notation instead of literal addresses: <If "%{REMOTE_ADDR} -ipmatch '192.168.1.0/24'">

MrWhite · Accepted Answer · 2015-07-22 07:45:18Z

17

I am running Apache/2.2.16 (Debian), and had a similar problem, I solved it like this:

(This can be run in both an .htaccess file or directly in the virtualhost under <Location/>)

Order deny,allow
Deny from all
AuthType Basic
AuthUserFile /home/somesite/.htpasswd
AuthName "No entry, unless"
Require Valid-user
Allow from x.x.x.x
Allow from x.x.x.x
Satisfy Any

I allowed entry without password from two different ip, and the rest must enter password to enter.

edited Jul 22, 2015 at 7:45

MrWhite

46.4k9 gold badges67 silver badges90 bronze badges

answered Oct 1, 2013 at 3:16

Sverre

1,42814 silver badges22 bronze badges

2 Comments

chmac Over a year ago

Thanks a lot, I was trying this inside a <Directory block, which doesn't work, the <Location /> part helped me out a great deal.

Gurpreet Singh Over a year ago

works for 2.4 as well, thanks

DrDol · Accepted Answer · 2018-08-14 08:18:03Z

17

Apache 2.4 compatible:

AuthType Basic
AuthUserFile /www/.htpasswd
AuthName "Protected Area"

<RequireAny>
    Require ip 1.2.3.4
    Require valid-user
</RequireAny>

See the migration guide Upgrading to 2.4 from 2.2 for more examples.

answered Aug 14, 2018 at 8:18

DrDol

2,2502 gold badges19 silver badges25 bronze badges

1 Comment

Eric Over a year ago

This one works best for me in apache 2.4.x and is a life saver, given that I've a lot of IPs to Require (about 60 ip ranges) o its a way better syntax than the one from NicoMinsk with the if/elseIf/else

Nicolas Schubhan · Accepted Answer · 2018-01-25 15:28:32Z

7

If you use apache >=2.4, and you want to allow a set of IP, as asked in initial question, you can do it like this :

   <If "-R '192.168.0.0/24'">
            Require all granted
    </If>
    <ElseIf "-R '192.168.1.0/24'">
            Require all granted
    </ElseIf>
    <Else>
            AuthType Basic
            AuthName "restricted area"
            AuthUserFile /etc/apache2/.htpasswd
            require valid-user
    </Else>

answered Jan 25, 2018 at 15:28

Nicolas Schubhan

1,7666 gold badges28 silver badges53 bronze badges

Comments

hollodotme · Accepted Answer · 2013-03-12 13:38:44Z

2

In addition to the answer of j5Dev:

# Interne IP-Adressen
SetEnvIf Remote_Addr "^127\.0\.0\.1$" IsIntern
SetEnvIf Remote_Addr "^192\.168" IsIntern
# .. add more IP addresses or ranges here

# Authentication, wenn nicht intern
AuthUserFile /path/to/.htpasswd
AuthName "restricted area"
AuthType Basic
require valid-user
Order allow,deny
Allow from env=IsIntern
satisfy any

answered Mar 12, 2013 at 13:38

hollodotme

211 bronze badge

1 Comment

Charlie Schliesser Over a year ago

None of the answers on this page work for me with the "satisfy any" directive, which is probably pretty important :) Is there anything else that needs configuring? I am on Apache 2.2.22.

Collectives™ on Stack Overflow

.htaccess / .htpasswd bypass if at a certain IP address

6 Answers 6

Comments

3 Comments

2 Comments

1 Comment

Comments

1 Comment

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

6 Answers 6

Comments

3 Comments

2 Comments

1 Comment

Comments

1 Comment

Your Answer

Sign up or log in

Post as a guest

Linked

Related