Category Archives: basic-authentication

POST params stripped .htaccess basic auth

I'm basically trying to send an AJAX-Add-to-Cart-POST-Request by WooCommerce WordPress Plugin. The Plugin does so by sending form-data to a URL that already contains a GET param:

jQuery.post('/?wc-ajax=add_to_cart', { product_id: '123', quantity: 1 }, function(response) {...});

This works fine locally, but on the staging server, which is secured by basic htaccess auth:

AuthName "Staging"
AuthUserFile /path/to/.htpasswd
AuthType Basic
Require valid-user

the POST params are completely stripped from the request, means when I remove the above or "whitelist" my IP like so:

Order allow,deny
Allow from 1.2.3.4
Satisfy Any

everything works fine.

Is there something I'm missing? I could not find any documentation why this behaves the way it does.

The site runs on an apache 2.4 server with php 7.1.17, OS is Debian 8.10.

Forcing https using modrewrite in apache conf losing basic authentication credentials

I'm trying to force https with a system that uses basic authentication in the URL but when I add the following lines to the apache configuration files:

ReWriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R]

the results are 302 errors.

If someone types as the URL: http://username:[email protected]/api_name.php Based on the access log, I think the redirect is going to: https:example.com/api_name.php

What I want is it to redirect to: https://username:[email protected]/api_name.php

But I also want: http://example.com/api_name.php to correctly redirect to: https://example.com/api_name.php and not: http://:@example.com/api_name.php

URL's without credentials contained within the string are working fine and redirect correctly.

How would I make this work?

Basic Auth on Apache Forward Proxy

Website X is a public site that can be accessed only via Basic Authentication. Once I browse to it, I'll be prompted with a dialog box where I need to type in my username and password to authorize myself and access the website. With that said, I'm looking into setting up a forward proxy using Apache to do the Basic-Auth automatically, so I don't get prompted each time I access the site.

I've configured a forward proxy using Apache 2.4, and it seems to work fine as a forward proxy, as I could access HTTP and HTTPS websites through it. However, the Basic-Auth I'm trying to do on the X website, doesn't work. I still get the dialog box each time I navigate to the site.

In the "httpd.conf", I tried multiple configurations, one example is:

AuthType Basic
AuthName "Restricted Site"
# (Following line optional)
AuthBasicProvider file
AuthUserFile password.file
Require valid-user

Mentioning that the password.file contains my username and password as a result of executing the command line:

htpasswd -c password.file MyUser

The Apache starts successfully without throwing any errors.

IMHO, what I'm trying to do sounds technically possible. However, after several hours of trial and error, it doesn't seem as easy as I thought it would be. Suggestions?

Apache24 authn_dbd

I am doing the basic authentication via the Apache authn_dbd but I can not proceed further. I always gets the Password Missmatch.

It was working on AP22 with the deprecated auth_mysql module but now i had to switch to authn_dbd.

The auth_mysql got something like AuthMySQLPwEncryption and it was working like a charm but the authn_dbd does not somethink like that there.

Could someone please advice what to do now ?

What I am doing bad ?

Thanks.

How to sync htpasswd apache basic session across multiple server? [on hold]

I have php pages those are pulling data from MySQL and displaying on ui. I have multiple servers behind load balancer, all servers has same php code and all connects to only one SQL database. I want to secure php pages using basic auth. I have implemented htpasswd in all servers. But problem is user is prompt for username and password on every click because load balancer will be redirecting the request to different servers.

Questions 1. How to sync the htpasswd session for multiple servers? If possible. 2. Any other solution for basic auth?

Apache basic auth plus rewrite: separate mobiles and add QUERY_STRING for others

Can't get this to work correctly:

I want mobile users of a website to be directed to another page without being asked for authentification. Other users should be forced to give their username (and password) to be able to pass the username to the website, which is accessible as "http://example.com/content/"

Apache is V2.2 and i only have access to the ".htaccess"-file, no access to the config- or error.log-files.

This is my current .htaccess:

RewriteEngine On

RewriteCond %{REMOTE_USER} =""
RewriteCond %{HTTP_USER_AGENT} 'android|blackberry|googlebot-mobile|iemobile|ipad|iphone|ipod|opera mobile|palmos|webos' [NC]
RewriteRule "^$" http://example.com/nomobiles/index.html [R=302,NC,L,END]

RewriteCond %{QUERY_STRING} !user=
RewriteRule "^$" http://example.com/content/?user=%{REMOTE_USER} [QSA,NC]

<FilesMatch ".">
AuthType Basic
Auth Name 'access to example.com'
AuthUserFile /path/to/userlist
Require valid-user
</FilesMatch>

Separation of mobile users works as expected, and authentication is enforced for others, but when the authentication settings are included in a "FilesMatch"-section the REMOTE_USER-variable is alway empty. Without the surrounding "FilesMatch"-lines authentication is also required for mobile users.

Any solution for this?

.htaccess – Run PHP file before authentication

I'd like to generate a password for authentication with .htaccess with PHP dynamically. The PHP file contains the algorithm to generate the password and writes this password into a .htpasswd file. So: Is it possible to let the .htaccess file run this script when the directory is browsed before the authentication box is displayed (so the password is generated instantly before authentication)?

Using database to store Basic Auth credentials

Im trying to set up basic authentication on my website but instead of using a .htpasswd file to store credentials im trying to use a database using mod_authn_dbd - i have followed this guide: https://blog.froese.org/2014/06/13/authn-dbd-mysql-ubuntu-trusty/

But having some issues with the connection to the database. So i have my lamp stack(using ScotchBox) set up with a table called users to store the credentials.

My conf file looks like so:

DBDriver mysql
DBDParams "host=127.0.0.1,user=vagrant,pass=PASSWORD"
DBDMin  2
DBDKeep 4
DBDMax  10
DBDExptime 300

My vhost looks like:

DBDParams "dbname=scotchbox"

<Directory /var/www/public/web/>
    AuthName "You Must Login"
    AuthType Basic
    AuthBasicProvider dbd
    AuthDBDUserPWQuery "SELECT password FROM users WHERE username = %s"
    Require valid-user
</Directory>

The Auth pop comes up and i enter details which i have in the DB but then i get redirected to a Server Error 500: The error in the logs is:

[Thu Jul 07 11:59:21.675628 2016] [dbd:error] [pid 2183] (20014)Internal error: AH00629: Can't connect to mysql: Access denied for user 'vagrant'@'localhost' (using password: NO)
[Thu Jul 07 11:59:21.675685 2016] [dbd:error] [pid 2183] (20014)Internal error: AH00633: failed to initialise
[Thu Jul 07 11:59:21.675709 2016] [authn_dbd:error] [pid 2183] [client 192.168.33.1:62383] AH01653: Failed to acquire database connection to look up user 'tom', referer: https://toran.modulemarket.dev/

So apparently the system can't connect to the DB, but im not sure why?! I can log in using the same mysql user vagrant/password and ive tried the root user, but to no avail.

Anyone know why I might not be able to connect to the database via DPD after following the guide above?

Thanks

htaccess exclude multiple url from Basic Auth

Hi i need to protect my app during the testing phase.

I read this post about excluding one url from Basic Auth

But i'd like to exclude 2 urls :

/api/*

/oauth/v2/token

So the entire app will be protected except for those two urls, that will be public. Otherwise i can't access my api routes.

My .htaccess for now is :

# Protect the app with password
AuthUserFile /home/master/public_html/web/.htpasswd
AuthName "Protected"
AuthType Basic
Require valid-user

So i'm guessing i should need some sort or regex in :

SetEnvIf Request_URI ^/api/ noauth=1

How can i have like a OR condition?