Instantly share code, notes, and snippets.

Embed
What would you like to do?
htaccess to password protect a specific server
# ----------------------------------------------------------------------
# Password protect staging server
# Use one .htaccess file across multiple environments
# (e.g. local, dev, staging, production)
# but only password protect a specific environment.
# ----------------------------------------------------------------------
SetEnvIf Host staging.domain.com passreq
AuthType Basic
AuthName "Password Required"
AuthUserFile /full/path/to/.htpasswd
Require valid-user
Order allow,deny
Allow from all
Deny from env=passreq
Satisfy any
@loekwetzels

This comment has been minimized.

loekwetzels commented Nov 27, 2014

This is a nice little trick for basic needs, but it's not very safe as it could easily be spoofed in a few basic steps:

  1. find the ip address of staging.domain.com by using ping (example result IP: 66.96.162.136)
  2. add a custom hostname to the hosts file pointing to this ip address: 66.96.162.136 omgihazaccess
  3. open http://omgihazaccess in the browser
    Tada, no password required!

The other way around would be a little safer (require password in all cases, except when using production domain) but could still be spoofed if the attacked pointed the production hostname to the staging server ip address.

@elliotlewis

This comment has been minimized.

elliotlewis commented Dec 10, 2014

@loekwetzels I think you're missing the vital line in there! This password protects the server, spoofing the domain name won't get around that, you'll still need to know the password.

@Risyandi

This comment has been minimized.

Risyandi commented May 19, 2018

Hopefully this is help for my staging / development sites.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment