Use HTTP Auth only if accessing a specific domain

Question

I've got several sites: example.com, example1.com, and example2.com. All of them point to my server's /public_html folder, which is my Apache root folder.

What do I need to add to my .htaccess file to use http authentication only if the user is coming from example2.com? example.com and example1.com should NOT use authentication.

I know I need something like

AuthType Basic
AuthName "Password Required"
AuthUserFile "/path/to/.htpasswd"
Require valid-user

But I only want to require a password if the user is visiting example2.com.

Edit

Using an approach suggested in an answer, I have the following in my .htaccess file:

SetEnvIfNoCase Host ^(.*)$ testauth
<IfDefine testauth>
RewriteRule ^(.*)$ index2.php?q=$1 [L,QSA]
</IfDefine>

I know that the mod_setenvif.c module is enabled (I verified with an <IfModule> block), but it would appear that "testauth" is never getting defined, because my test to verify (redirecting to index2.php) is not executing (whereas it was getting executed in my <IfModule> block). Any ideas why?

Answer 1

How about something along the lines of this in the htaccess file in the document root:

# set the "require_auth" var if Host ends with "example2.com"
SetEnvIfNoCase Host example2\.com$ require_auth=true

# Auth stuff
AuthUserFile /var/www/htpasswd
AuthName "Password Protected"
AuthType Basic

# Setup a deny/allow
Order Deny,Allow
# Deny from everyone
Deny from all
# except if either of these are satisfied
Satisfy any
# 1. a valid authenticated user
Require valid-user
# or 2. the "require_auth" var is NOT set
Allow from env=!require_auth

This will make it so authentication is not required unless the host ends with example2.com (e.g. www.example2.com, dev.example2.com, etc). The expression can be tweaked if needed. Any other host will cause the require_auth var not to get set so authentication is not required. If this needs to be the other way around, the last line could be changed to: Allow from env=require_auth, removing the !.

Answer 2

Apache 2.4 offers a semantic alternative with the If directive:

<If "req('Host') == 'example2.com'">
    AuthUserFile /path/to/htpasswd
    AuthType Basic
    AuthName "Password Protected"
    Require valid-user
</If>
<Else>
    Require all granted
</Else>

Answer 3

Here is one recommendation:

Create a file called common.conf and save in an accessible location

In this file place the Apache configuration common to all sites (hosts).

The remove the current single VirtualHost entry an replace with VirtualHost entries as follows:

# These are the password protected hosts
<VirtualHost *:80>
ServerName example.com
ServerAlias example1.com

Include /path-to-common-configuration/common.conf

AuthType Basic
AuthName "Password Required"
AuthUserFile "/path/to/.htpasswd"
Require valid-user
</VirtualHost>

# These are hosts not requiring authentication
<VirtualHost *:80>
ServerName example2.com
ServerAlias example3.com

Include /path-to-common-configuration/common.conf

</VirtualHost>

Answer 4

I wonder if DanH would be helped by an approach that allows access per IP address?

Something like

SetEnvIf Remote_Addr 1\.2\.3\.4 AllowMeIn
SetEnvIfNoCase Host this\.host\.is\.ok\.com AllowMeIn
SetEnvIfNoCase Host this\.host\.is\.also\.ok\.com AllowMeIn

and then in your Drupal "container"

Order Allow,Deny
Allow from env=AllowMeIn

should do the trick.

Any host that is "live" should be configured to "AllowMeIn", or else you have to come from a known IP address (ie you and other developers).

Answer 5

You shouldn't be putting per-vhost configuration into .htaccess. Instead, put the config block in the VirtualHost block in the proper config file in /etc/apache/sites-enabled/*.