Newbie-using IPs in .htaccess files to filter users to different subdirectories

Hello.
My company publishes journals and we provide on-line content (.pdfs) to our subscribers. We determine who has access by putting their IP address/range in the .htaccess file. The file is in the directory which contains the various other directories pertaining to each issue (012001 for Jan, 022001 for Feb, 032001 for March..). So far so good. No problem.
In a month however, I will need to do something to block access to 2002 issues for people who haven't renewed their subscription and block access to 2001 issues for new subscribers. All the issues need to be available to those who subscribed to both years. For various reasons I'd like to keep all the issue directories from both years in the same directory that has the .htaccess file in it.
I'm almost finished....
What can I do to the .htaccess file to determine which directories are accessable to some IPs but not others. Some IPs need to be able to access all. Keep in mind, I'm very new at server-side issues. Please speak slowly.

Much thanks and respect,
Nitz

Start here -> http://forums.devshed.com/showthrea...5860&forumid=15

Hint, the deepest .htaccess wins.

freebsd,
Could you please be more specific? I think that the person in the thread you refered me to, wants to do something a little different than what I'm attempting. He wants one directory in a group to be unprotected while the others stay protected.
I want some users to be able to access some files in a directory, other users to be able to access other files, and some users to be able to access all.
I'm sorry if I wasn't clear.
or
Maybe I was clear but don't understand the semantics and nomenclature for this discussion.
That is entirely possible

Nitz

>> wants to do something a little different than what I'm attempting

Yes, a little different, but the idea is the same.

>> He wants one directory in a group to be unprotected while the others stay protected

Not quite.

simovsky: "My document root is c:/pages/ I have dir01, dir02 and dir03 inside c:/pages/.
I want to protect dir02, dir03, and c:/pages/, and I want to leave dir01 unprotected."

me:
<Directory "c:/pages">
AuthType Basic
AuthName "Private Area"
AuthUserFile c:/path/to/.htpasswd
Require valid-user
</Directory>
<Directory "c:/pages/dir1">
Allow from all
Satisfy any
</Directory>

In his case, http://domain.com/ requires authentication only. /dir02 and /dir03 too require authentication. But the Satisfy any makes it an exemption when visitors are coming from all (REMOTE_HOST or REMOTE_ADDR). If his Allow from all is written as Allow from 12.34.56.0/24, then those people don't require authentication because their REMOTE_ADDR satisfies ONE of the TWO access restrictions, the host restriction.

http://httpd.apache.org/docs/mod/core.html#satisfy

Similarily, in your case you can set your parent journal directory like so:

<Directory "/path/to/docroot/journals">
AuthType Basic
AuthName "Private Jorunals"
AuthUserFile /path/to/non/docroot/.htpasswd
Require valid-user
</Directory>

Then for past journals at "/path/to/docroot/journals/2000" is open to all subscribers who have an account
# The following <Directory> can be omitted because it's inherited from its parent dir.
#<Directory "/path/to/docroot/journals/2000">
#Allow from all
#Satisfy all
#</Directory>

For current journals: (people who have an account as well as coming from ip ranges below)
<Directory "/path/to/docroot/jorurnals/2001">
Allow from 1.2.3.4/32 5.6.7.8/32 12.34.56.0/24 56.34.12.0/24
Satisfy all
</Directory>

For future journals: (people coming from 12.34.56.0/24 range with an account)
<Directory "/path/to/docroot/journals/2002">
Allow from 12.34.56.0/24
Satisfy all
</Directory>

In this case, people with an account coming from 12.34.56.0/24 can access ALL journals. For those who are coming from 1.2.3.4/32 and the other ip ranges (except 12.34.56.0/24) can only access to 2000 and 2001. For new subscribers, of course, are limited to 2000.

freebsd,
Thanks for your detailed explanation. I haven't had a chance to try it out yet. Is what you told me to do still applicable to the httpd.conf file or to the .htaccess file? I unfortunately do not have access to the httpd.conf file from our hosting service. If this changes things please let me know. Until then I'm going to give a couple trys and see what I get.

Thanks
Nitz

>> Is what you told me to do still applicable to the httpd.conf file or to the .htaccess file?

To both. Just put what's within <Directory></Directory> to .htaccess.

freebsd,
I'm having some problems here. I keep recieving an Error 500. I'm sure that my syntax somewhere is completely whack. I'm unsure about the syntax on how to tell the server where one group of IPs for one directory starts and ends and where the next starts over. The apache book I got is rather vague about these details .
This .htaccess file is stored in the directory /crtest along with the directories 2000, 2001 and 2002.
here is what I have written in my .htaccess file:

AuthType Basic
AuthName "Access for /htdocs/articles/crtest"
/htdocs/articles/crtest/2000
allow from 62.158.53.159
deny from all
/htdocs/articles/crtest/2001
allow from 12.34.56.78
deny from all
/htdocs/articles/crtest/2002
allow from 12.34.56.78
deny from all


Nitz

>> here is what I have written in my .htaccess file:

You need 4 different .htaccess files. Your parent .htaccess also have several lines missing: Require and AuthUserFile. For the other 3 .htaccess, you need Satisfy all.

As I said in my previous post, you need to put exact lines within <Directory> to the appropriate .htaccess file.

Freebsd,
Thanks for all of your help. The tests I've done work great. We have yet to put an issue on-line in 2002 but that will be the real test. I'll have to see how much e-mail I get from subscribers that can't view the pages in order to make sure it is sailing along.

Is it koscher to protect a directory with an .htaccess file and then protect another directory within that first directory with another .htaccess file? Could it be too much load on the server?

thanks again,
Nate

That's the idea behind the .htaccess file.
As freebsd pointed out already, the last .htaccess file wins.

So you can put a basic .htaccess in the root, and a more restricting one in the first sub dir, etc.. It is appropriate to do it that way..

Cya,
Iwan

Thanks. Thats what I figured but I'm having a problem getting it to work. I keep getting the error 500.
I have one directory "CR". In that directory is another called "2002". I get the server error when I try to view the files in "2002". I can view the files no problem in CR. When I remove the .htaccess file from the 2002 directory I can view and load the files so I'm almost certain that the problem lies therein. Am I correct in thinking that only one line has to change, or do I need to switch some things around? Could the problem be with the password file path?

htaccess for /cr is:


htaccess for cr/2002 is:

Remove all Deny from ... and order ... lines. Read my original post again, I didn't put any of those.

Sorry.
(those lines were present in the .htaccess file that was working when I arrived at this job) I actually already took those lines out but it still doesn't work. The files were working fine when I tested them a few weeks ago. This problem started when I tried to put another .htaccess one directory down.

My files now look like:

The parent dir:

The subdirectory


Sorry to keep buggin ya if I'm buggin ya

Combine the 3 Allow lines into one like so:

Allow from 12.34.56.78 123.45.67.89 xxx.xxx.xxx.xxx

Thanks!!!!
I got it working.