Apache authentication except localhost

Question

I need to apply HTTP auth just in public use of website, but I don\'t apply it on my localhost. This is the .htaccess that I think should work. But it doesn\'t work

Answer 1

In Apache 2.4, allow, deny and satisfy are not used anymore, IP address restriction is also done with require now:

AuthUserFile /path/to/.htpasswd
AuthName "Restricted Access"
AuthType Basic
Require ip 127.0.0.1
Require valid-user

If any of the "Require" directives are fulfilled, the request is allowed. If you want to require both, group them in a <RequireAll> block.

For restriction to local access you can use the special syntax Require local instead of Require ip 127.0.0.1

Read more: http://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#require

Answer 2

You need to look at the order and satisfy keywords. Working example from my website is below. First we tell that we accept either the IP or USER. Then we define htpasswd file path and that we accept any valid user from that file. Finally we define which client IP addresses can access our web without auth (we deny all other IPs, so that they must auth via htpasswd).

# permit by USER || IP
Satisfy any
# USER
AuthUserFile /var/www/munin/.htpasswd
AuthGroupFile /dev/null
AuthName "Password Protected Area"
AuthType Basic
require valid-user
# IP
order deny,allow
deny from all
allow from 11.22.33.