.htaccess: Allow all connections from local network, but require login for external


NB: This is not a duplicate, as the flagged post deals with older versions of apache. I've tried the solutions in that thread, also the one supposed to work on later versions, without success.

There are several questions and answers that deals with parts of this, but I haven't found exactly this type of situation.

I have a web site which I want to be openly accessible from my network. But when accessing it from via the external address forwarded in the router – I want .htaccess to require a login.

I know how to require password for all connections, and I have an idea about allowing/disallowing a specific address or IP. But I want ALL IPs that are not on the LAN to need a login/password.

Update: Apache2 version 2.2.22

Here's what happens when I try the solution from the answer that someone claims this is a duplicate of:

AuthName "Authenticate"
AuthType Basic
AuthUserFile "/home/frank/.htpassword"
Require valid-user
Order allow,deny
Allow from
Satisfy All

With the above .htaccess file, access through the external address is denied, period. No login prompt. From the specific local IP (.44), I get the login prompt.

AuthName "Authenticate"
AuthType Basic
AuthUserFile "/home/frank/.htpassword"
Require valid-user
Order allow,deny
Allow from
Satisfy All

With the above, both external and internal connections are prompted with login.

Trying to narrow the problem down:

This does not work: (both the external an LAN addresses are allowed)

Order Deny,Allow
Deny from all
Allow from

Thi works: (the exernal address gets access denied, while the LAN does not)

Order Deny,Allow
Deny from all
Allow from

Am I missing something fundamental here?

When I try this:

Order Deny,Allow
Deny from all

Everything is denied, both from the LAN and the external address.

However, when I try this:

Order Deny,Allow
Allow from

Everything is allowed, both from the LAN and the external address.

Is the problem in the way I'm trying to access from the eternal address? The nameserver of the domain "mydomain.no" points to the router. I have forwarded the domain "mydomain.no" in the router's virtual servers. Traffic on port 80 is routed to the server running the apache2 installation. What I want is all traffic coming via the address "mydomain.no" (and any other domains forwarded to the same server) to required a password. Traffic from inside the LAN should not require a password.

Best Answer

I'm assuming you are using Apache 2.4, for Apache 2.2 the syntax is different.

You can add multiple Require directives:

AuthName "Authenticate"
AuthType Basic
AuthUserFile "/var/www/html/.htpasswd"
   Require valid-user
   Require ip 10.0.0

Technically you don't even need the <RequireAny>, apache will use it implicitly when it is not there, but I find it is easier to read that way.

The equivalent for apache 2.2:

AuthName "Authenticate"
AuthType Basic
AuthUserFile "/var/www/html/.htpasswd"
Require valid-user
Order allow,deny
Allow from 10.0.0
Satisfy any
Related Topic