プログラミングの役立つ記事をお届けします

[Apache2.4] How to use slash in IF directive of .htaccess

[Apache2.4] How to use slash in IF directive of .htaccess

「I want to apply BASIC authentication only in a specific environment with .htaccess」
「I want to use BASIC authentication only for complex request URIs with .htaccess」

Hello, I’m taka.

.htaccess is useful.

.htaccess is indispensable when customizing various web applications, but it’s hard to remember the writing rules!!

Because of its unique description rules, I feel uneasy when implementing it even if I remember it.

In the meantime, with Apache 2.4, it became possible to perform finer control, and there was a little touching code, so I will introduce it.

Apply BASIC authentication for each environment

Starting with Apache 2.4, the If directive can be used, allowing finer control.

For example, when you want to apply BASIC authentication only in the development environment, describe as follows.

<If "%{HTTP_HOST} == 'dev.example.com'">
    AuthUserFile /path/to/your/.htpasswd
    AuthGroupFile /dev/null
    AuthName "Basic Auth"
    AuthType Basic
    Require valid-user
</If>

It’s intuitive and easy to understand. This is a common usage.

Apply BASIC authentication only for specific request URIs

This was the code that impressed me

As mentioned above, it was fairly easy if the process was controlled by the HOST name.
Sometimes you want to apply BASIC authentication by request URI.

For example, when you want to apply BASIC authentication only to an administrative URI like /admin/xxxxx.

In such a case, the URI is described with a regular expression to support all admin and below.

At this time, the regular expression pattern itself in .htaccess is surrounded by slashes, so it is a problem when writing the slashes themselves.

So, in general, escape is escaped with a backslash, so it is written as follows.

<If "%{REQUEST_URI} =~ /\/admin\/.*/">

This is NG.

I’m afraid of 500: Internal Server Error.

Then, what to do is described as follows.

<If "%{REQUEST_URI} =~ /\x2Fadmin\x2F.*/">

The slash is represented by \x2F.

I didn’t know this.

Bonus: Apply BASIC authentication by combining conditions

If directives can be used in any combination of conditions.

So,
BASIC certification is required for all development environments.
In a production environment, BASIC authentication is applied only to management URIs.

Conditions like this are also possible.

For example, the description is as follows.

<If "%{HTTP_HOST} == 'dev.example.com'">
    AuthUserFile /path/to/your/.htpasswd
    AuthGroupFile /dev/null
    AuthName "Basic Auth"
    AuthType Basic
    Require valid-user
</If>

<If "%{HTTP_HOST} == 'www.example.com' && %{REQUEST_URI} =~ /\x2Fadmin\x2F.*/" >
    AuthUserFile /path/to/your/.htpasswd
    AuthGroupFile /dev/null
    AuthName "Basic Auth"
    AuthType Basic
    Require valid-user
</If>

It’s convenient.

Summary

When Apache 2.2 was installed, if .htaccess was installed in a specific directory, BASIC authentication could be applied to the directory below it.
Recently, both WordPress and PHP frameworks collected requests with .htaccess and routed them, so the directory itself did not exist, so it was not possible to write Apache 2.2.

So such a problem occurred.

Thank you for reading.

Leave a Reply

Your email address will not be published. Required fields are marked *