Basic Autheniction & Allow Access

Hi am trying to authenticate with a username database but I also want to allow users from certain domains access with authentication.
I can do one or the other but I can not figure out both. Here is what I have so far.

AuthUserFile /www/cgi-bin/.htpasswd
AuthGroupFile /dev/null
AuthName "Member's Area"
AuthType Basic
require valid-user

<Limit GET PUT>
order allow,deny
deny from all
allow from website.com
satisfy any
</Limit>

Thanks,
Mark

>>I can do one or the other but I can not figure out both

Because it's impossible with mod_access. Though, it might be possible with the addition of mod_rewrite. For example:

1) Setting 1st RewriteCond to check for HTTP_REFERER, if it's within your protected dir AND another_dir JUST for "allow host" authentication, then [L] it.
2) 2nd RewriteCond:
RewriteCond %{REMOTE_HOST} ^website.com$
3) Set the RewriteRule to redirect to the /another_dir just for the allow host authentication.

If you apply to the above logic, a visitor who comes from website.com and access to your private directory will be redirected to http://www.yourdomain.com/another_dir for authentication.
Next, set an index.cgi or index.php to redirect this visitor to http://www.yourdomain.com/private, this way, the HTTP_REFERER for such visitor matches the 1st RewriteCond, so he won't get authentication again. This only occurs the first time when he is being redirected from /another_dir to /private, once he is in /private, his HTTP_REFERER also matches the 1st RewriteCond and allow in.
Note, http://www.yourdomain.com/another_dir is also a protected directory, so visitors not coming from website.com won't be able to login.

I haven't tested this so it may or may not work but it's the logic I can come up with at this moment.

Anyway, visitors coming from website.com SHOULD ALLOW IN WITHOUT AUTHENTICATION according to "satisfy" directive. If you insist to authenticate them, WHY NOT create a user/pass for them and dropping the "allow from" line and "satisfy" line if you really know what they are for. Or at least require them to sign up for an username from website.com to get in to your /private.

[This message has been edited by freebsd (edited October 02, 2000).]

I am pretty new to the Unix world so this makes some sense but not very much. I am still learning is there anyway to explain this in easier terms?

Thanks,
Mark

>>explain this in easier terms

Your lines:

allow from website.com
satisfy any

By all means is to Allow in (from website.com) without authentication. Read here -> http://www.apache.org/docs/mod/core.html#satisfy
Visitors coming from website.com should bypass the login prompt. If they also require to authenticate, give them a user/pass.

Hi so is this what I should have? I tried it and it lets everyone in.

AuthUserFile /www//cgi-bin/globill/passwd
AuthGroupFile /dev/null
AuthName "Member's Area"
AuthType Basic
require valid-user

<Limit GET PUT>
allow from website.com
satisfy any
</Limit>

>>AuthUserFile /www//cgi-bin/globill/passwd

You should place passwd above your docroot. If you don't have permission to do so, you then need to add the following to your .htaccess:

<FilesMatch "^passwd$">
Order deny,allow
Deny from all
</FilesMatch>

You also don't need the <Limit> block.

Someone said what I want is not possible unless I make 2 seperate directories. I really need this to work. I really have no idea what I am doing. Is this right? I tried it and it lets everybody in.

# Access file
#(makes file invisible)

<FilesMatch "^passwd$">
Order deny,allow
allow from website.com
</FilesMatch>

AuthUserFile /www/cgi-bin/globill/passwd
AuthGroupFile /dev/null
AuthName "Member's Area"
AuthType Basic

>>Someone said what I want is not possible unless I make 2 seperate directories

Exactly as I mentioned the /another_dir is to authenticate users from website.com and redirect back to /private along with the HTTP_REFERER that matches the 1st RewriteCond to bypass the login prompt in /private.

>><FilesMatch "^passwd$">
>>Order deny,allow
>>allow from website.com
>></FilesMatch>

Don't put "allow from website.com". Why you want visitors from website.com to be able to READ your "passwd" file anyway?

Putting Deny from all prevents people from viewing your passwd file from browsers, it doesn't mean your passwd file will not get read by Apache.

Hi I don't want people to read the password file I just want certain sites to have access to the members area without authentication. website.com was just an example. What should I do?

Regarding to the passwd file, as I said, do this:

<FilesMatch "^passwd$">
Order deny,allow
Deny from all
</FilesMatch>

Don't try to invent something on your own. Put this .htaccess in http://yourdomain.com/.htaccess

#http://yourdomain.com/protect/.htaccess
AuthUserFile /www/path_other_than_cgi-bin/passwd
AuthGroupFile /dev/null
AuthName "Member's Area"
AuthType Basic
Allow from website.com
Satisfy any

Ok I created 2 files this one

<FilesMatch "^passwd$">
Order deny,allow
Deny from all
</FilesMatch>

and this one

#http://yourdomain.com/protect/.htaccess
AuthUserFile /www/path_other_than_cgi-bin/passwd
AuthGroupFile /dev/null
AuthName "Member's Area"
AuthType Basic
Allow from website.com
Satisfy any

I uploaded the 1st one to the members area and the second one to http://yourdomain.com/members/ and made sure the path was not to a cgi-bin. It seems to let everyone in, did I do this right? Thanks so much for helping.

Are you sure your server has .htaccess enabled? To verify this, simply remove the bottom two lines:
Allow from website.com
Satisfy any

If it doesn't show a login prompt, too bad, htaccesss not enabled at all.

Also the line -> Allow from website.com
it's better to put the IP address of website.com or at least put a dot in before website.com as .website.com

Hi I know htaccess is active because I can make the login box appear. I did try to erase those 2 lines but it did not pop-up any login box. But I am sure htaccess is working. I also put a dot in front of the website like this .website.com What else should I try?

Thanks,
Mark

>>I did try to erase those 2 lines but it did not pop-up any login box

Make sure there were NO CONSECUTIVE TRIES. Once you logged in, on 2nd try, you need to close and relaunch your browser.

Hi I did close all my browser windows and tried it several times and never got a login box. I tried it in Netscape and Explorer.