use basic auth based on query_string

Question

I'm trying to protect urls containing a specific string:

RewriteCond %{QUERY_STRING} foo
RewriteRule - [E=NEED_AUTH:1]
Options -Indexes
AuthType Basic
AuthUserFile /etc/apache2/.htpasswd
Order allow,deny
allow from all
satisfy any
deny from env=NEED_AUTH
Require valid-user

I suppose this should bring up the authentication dialog when loading

index.php?format=foo

but it doesn't work. I tried several other RewriteConds like for example

RewriteCond %{QUERY_STRING} format=foo
RewriteCond %{QUERY_STRING} ^format=foo$

with no luck. Using

RewriteLog "/var/log/apache2/rewrite.log"
RewriteLogLevel 3

doesn't log anything.

Any suggestions? :)

Answer 1

As described here (Apache permissions based on querystring), I cannot get the combination of "RewriteRule" and "Allow from env" working in Apache 2.4.6.

Answer 2

To add to Jon's answer, I had a similar issue as the OP. But I found that allow from env=!NEED_AUTH was not working so I had to reverse it in the Rewrite Condition RewriteCond %{QUERY_STRING} !format=foo and then reverse the allow allow from env=NEED_AUTH. So, here is the snippet that works:

RewriteCond %{QUERY_STRING} !foo=bar
RewriteRule ^ - [E=NO_AUTH:1]

Order deny,allow
Deny from all
AuthType basic
AuthName "Auth Needed"
AuthUserFile "/etc/httpd/conf.d/.htpasswd"
Require valid-user
Allow from           env=NO_AUTH
Satisfy              Any

Answer 3

Make sure you've turned on the rewrite engine using RewriteEngine On. Also, there's an error in your RewriteRule:

RewriteRule - [E=NEED_AUTH:1]

Needs to have 2 parameters before the flags:

RewriteRule ^ - [E=NEED_AUTH:1]

Aside from that, it doesn't look like you've setup authentication correctly. You'll need a AuthName to define the realm, apache won't do authentication without it. And I don't think you can force authentication with a allow from all, you might need to do this the other way around, by denying all and allow from env=!NEED_AUTH