.htaccess and in order to password protect multisite sub-sites

By ovlaere on 23 Jan 2010 at 13:07 UTC

Hi all,

we have a multisite installation running at http://dev.mydomain.com which hosts different projects in development such as http://dev.mydomain.com/project1, http://dev.mydomain.com/project2 etc...

I wanted to password protect via .htaccess this development section, which is rather easy to do by adding

AuthUserFile <somefile>
AuthGroupFile <somegroup>
AuthName "Development"
AuthType Basic
require user admin

to the .htaccess file. So far so good. This admin user will be able to access all files within the dev.mydomain.com domain, which is good as this user normally is the developer.

The idea is now that owners of the projects we are developing for can access their specific projects (and ONLY those), e.g. http://dev.mydomain.com/project1. As this is a multisite installation, we are working on the same .htaccess file (in the base install dir), so i cannot simply repeat the step above editing the .htaccess file and adding another user.

So while editing the .htaccess file of the multisite base install, i wanted some kind of the following:

<Directory />
AuthUserFile <somefile>
AuthGroupFile <somegroup>
AuthName "Development"
AuthType Basic
require user admin
</Directory>

<Directory /project1>
AuthUserFile <somefile>
AuthGroupFile <somegroup>
AuthName "Development"
AuthType Basic
require user admin
require user project1_owner
</Directory>

<Directory /project2>
AuthUserFile <somefile>
AuthGroupFile <somegroup>
AuthName "Development"
AuthType Basic
require user admin
require user project2_owner
</Directory>

But, as soon as one adds a <Directory> directive to the .htaccess file, you get an Internal server error. As far as i read, you cannot nest Directory directives. In the .htaccess file i am not doing this, but is there a reason this error occurs? Is this file used as an extension/import/include in some Apache config (which i cannot edit, this is the hosting provider's thingie) which results in nesting of these statements?

I then thought of using Location directives, as the /project1 and /project2, ... subdirs are no real directories but symbolic links to the same root install for the multisite, but adding a <Location> directive in the .htaccess also resulted in an Interal server error.

What am i missing here? Thanks in advance for any replies. I searched Google and the forums for similar things but found no relevant results (.htaccess and directory almost never return anything to do with <Directory>... :-/) I also found lots of references to the rewriterules and rewrite base stuff when having Internal server errors, but without trying to mess with Location/Directory, all is fine (all project drupal instances) and no internal server errors, so i kind of excluded that as the cause of these issues.

Oliver

Comments

Would removing all the Drupal

chrisparsons commented 23 January 2010 at 14:18

Would removing all the Drupal permissions for the anonymous role work? Or is seeing the design an issue too?

Good point. But we would

ovlaere commented 23 January 2010 at 16:26

Good point. But we would prefer not seeing layout or design too.

This could be a solution if all else fails. Right now, i am trying to figure out why this simple .htaccess protection scheme fails? If there is a good reason this will never work, you're proposed solution seems a fix.

Thx!

Let me just make sure that I have this configuration right

chrisparsons commented 23 January 2010 at 18:09

You have a multisite running, and you have folders such as:

/sites/dev.mydomain.com.project1/
/sites/dev.mydomain.com.project2/

etc etc.

I'm wondering if it's because it's a virtual directory and not a real directory that it's flipping out.

That is correct. What i don't

ovlaere commented 24 January 2010 at 01:44

That is correct.

What i don't get about this whole thing is, why i get internal server errors as soon as something as <Directory ...> is put in the .htaccess file...

How about adding a new subdomain for each project?

Old Man commented 24 January 2010 at 09:58

This isn't really the answer to what you are asking, but could you create a new subdomain for each project and do a new multi-site install for each subdomain? My host allows unlimited sudomains and it only takes about a minute to create one, so it is pretty easy to do. Since you are doing a multi-site install anyway, it really isn't more work. You would get a new .htaccess file for each project, each project would be in it's own directory, separate passwords, etc.

Hello Old Man, subdomains are

ovlaere commented 24 January 2010 at 11:52

Hello Old Man,

subdomains are an option too. I think i will go with that approach as it is indeed not time consuming and will probably fix the issue i'm facing.

Thx,
Oliver

Domain Access module makes

Road Runner commented 24 January 2010 at 12:56

Domain Access module makes this pretty easy. Take a look and the documentation is pretty good too.

for almost the same purpose I

bserem commented 24 July 2010 at 09:28

for almost the same purpose I use the "securesite" module, it asks for a passwords when going to dev.example.com without displaying any valueable info to visitors

it has helped me a lot, but it only protects your site through drupals user management

--
http://srm.gr - Drupal Implementor

You have to do this in your

endoplasmic commented 18 March 2010 at 20:32

You have to do this in your .conf file (httpd.conf or httpd-vhosts.conf) and can't be run from .htaccess.

Password protect all sites of an apache server

rkarajgi commented 13 November 2010 at 09:31

I have a staging server that is on public internet ip address. I have bunch of drupal development and staging sites on this server.

I want to configure at Apache level so that all existing sites (and new ones added to this staging server) are automatically password protected. This password protection is primarily to keep the server private - away from the search robots. I do need this server to be on public ip address - so the sites are viewable from public internet to selected users.

I figured I could add the apache authentication to the command in apache's site wide httpd.conf file.

I added the following to httpd.conf file:


<Directory />
 AuthType Basic
 AuthName "Private 181"
 AuthUserFile /usr/local/apache/passwords
 require valid-user
</Directory>

I created the passwords file using htpasswd utility and added the desired users and passwords. The file is located at the right location.

Now, when I access any site from a browser, there is a challenge with user/password thrown up by the browser. But even if I enter a valid userid and password, the broweser keeps asking the user/password again and again.

Evidently, the challenge-response that is added for the realm is not accepted by the server.

Any ideas? Has anyone protected all sites of an apache server this way?

Thanks

----------------------------------------------------------
- R Karajgikar

I've been trying to set this

Jean Gionet commented 7 July 2011 at 14:47

I've been trying to set this up myself and it seems you can't set these types of rules in .htaccess unless permission is given from the main .conf file.. which is hard to access (if at all) using a shared hosting provider.
Also, the problem it seems that apache needs actual directories.. it doesn't work with aliases.

so I'm still trying to find a solution

A Day In The Life