Apache 2.4 – Limit Access to Website with Specific Header

apache-2.4

I only want to make my website accessible if a certain header (auth-token) with a certain value (test) is transmitted. For this I have already created a .htaccess file and added lower code to it.

The problem is that the website can no longer be reached at all, even if the corresponding header is given. It alswas says that i have no Permission to Access this Server.

Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS"

RewriteEngine on
RewriteCond %{HTTP:auth-token} ^test$
RewriteRule .? - [E=headerok]

Order allow,deny
Deny from all
Allow from env=headerok

This is what the Chrome Developer Console responses:

Chrome Developer Console Headers

I know that this kind of protection is not really secure, but for my purposes this is sufficient.

Can someone please help me with this problem?

Best Answer

If you're using apache 2.4, you should consider using the new (Require) access control methods instead of the 2.0/2.2 (Allow/Deny) methods. 2.4 provides a backwards compatibility module for now, but I expect that to go away at some point.

The Apache 2.4 access control documentation suggests that you should be able to accomplish this with:

<If "%{HTTP:auth-token} in { 'test' }">
    Require all granted
</If>
<Else>
    Require all denied
</Else>

There's also an example on that page using mod_rewrite which is more similar to the approach in the question, but:

The <If> directive, added in 2.4, replaces many things that mod_rewrite has traditionally been used to do, and you should probably look there first before resorting to mod_rewrite.

Related Topic