Hi,

We have several sites that run from the same folder using the same code (it's basically a CMS system). We point the domain at this account, and the .htaccess rules will retrieve the correct site files for that domain.

I'd like to restrict some of the sites via password protection in .htaccess, but I can't find away of doing based on the domain /http_host

IE, if we have two domains, MySite.com and MyPasswordProtectedSite.com (which both point to the same folder on the server) I'd like an .htaccess password box to popup only when the http_host is MyPasswordProtectedSite.com

I've been looking at trying to do it with conditional statements in .htaccess but I'm getting nowhere.

Any ideas?

You could use the environment variable setting capabilities of RewriteRule to detect the HTTP host and set an environment variable.

Then just do an <IfDefined> block later.

SetEnvIfNoCase Host mysite\.com nopassreq

AuthType Basic
AuthName testing
AuthUserFile .htpasswd
Require valid-user

Order allow,deny
Allow from env=nopassreq
Satisfy any

That should work. You could probably reverse the allow/deny logic to only password one host as well.

Thanks guys. This is a great help, I'll let you know how I get on.
Cheers,
Tom

Thanks guys, worked a treat. :)
And I learnt something very useful.

Yes. Thanks. I was able to implement this as well.

Hi again,
I've run into another problem with this setup, how can I have multiple AuthUser files based on the domain:

Currently have the following code:

# PASSWORD PROTECT BY HOST
setenvIfNoCase Host site1\.domains\.com passreq1
AuthType Basic
AuthName "Site 1 Login"
AuthUserFile "/home/ppd/.htpasswds/site1.pwd"
Require valid-user
Order allow,deny
Allow from all
Deny from env=passreq1
Satisfy any

# PASSWORD PROTECT BY HOST
setenvIfNoCase Host site2\.domain\.com passreq2
AuthType Basic
AuthName "Site 2 Login"
AuthUserFile "/home/ppd/.htpasswds/site2.pwd"
Require valid-user
Order allow,deny
Allow from all
Deny from env=passreq2
Satisfy any


But AuthName,AuthUserFile is always the last instance in the .htaccess file, is there anyway around this?

Sorry to bump, but desperate for a solution and having no success? Any ideas at all welcome!

Tom

Tricky. I have two ideas, but I suspect you won't like either. ;)


Use a single AuthUserFile and enforce usernames in the form site1.fred, site2.joe etc.
Put each site in a separate directory with its own .htaccess (or preferably give each one its own vhost with a separate document_root). Then to avoid duplicating all the files, symlink your cms directory in each one.

Thanks Foobic, I'll give it a go, but you're right, I don't like either. :P
I don't think 2) is possible as they have to run from the same index.php file and therefore directory?

Hey, we can't always get what we want. :stickout:

I guess with (2) the question is why must they all run from the same directory? If it's just to reduce disk space and simplify updates then symlinking duplicate directories might give you the same benefits.

Alternative thought about (1): fred@site1, joe@site2 etc, as used in many other similar situations for virtual users.

Hi foobic,
Thanks for you continuing efforts.
2)Isn't a possible solution as the system works from a central index.php file and a monster .htaccess that goes of and fetches different images and css files depending on site names etc.
Also, I'd get killed if I tried to change that system.

I'm still a little confused about 1) - you mention using different usernames based on the domain- which I understand, but how could you stop a username and password from one domain working on another site?

Good question. :wallbash: I guess you could add a simple check in your CMS to verify that the domain part of REMOTE_USER matches HTTP_HOST. Begs the question though: Why don't you just let the CMS to handle all this authentication? (as most of them do already)