Create a gist now

Instantly share code, notes, and snippets.

Embed
htaccess to password protect a specific server
# ----------------------------------------------------------------------
# Password protect staging server
# Use one .htaccess file across multiple environments
# (e.g. local, dev, staging, production)
# but only password protect a specific environment.
# ----------------------------------------------------------------------
SetEnvIf Host staging.domain.com passreq
AuthType Basic
AuthName "Password Required"
AuthUserFile /full/path/to/.htpasswd
Require valid-user
Order allow,deny
Allow from all
Deny from env=passreq
Satisfy any
@loekwetzels

This comment has been minimized.

Show comment
Hide comment
@loekwetzels

loekwetzels Nov 27, 2014

This is a nice little trick for basic needs, but it's not very safe as it could easily be spoofed in a few basic steps:

  1. find the ip address of staging.domain.com by using ping (example result IP: 66.96.162.136)
  2. add a custom hostname to the hosts file pointing to this ip address: 66.96.162.136 omgihazaccess
  3. open http://omgihazaccess in the browser
    Tada, no password required!

The other way around would be a little safer (require password in all cases, except when using production domain) but could still be spoofed if the attacked pointed the production hostname to the staging server ip address.

This is a nice little trick for basic needs, but it's not very safe as it could easily be spoofed in a few basic steps:

  1. find the ip address of staging.domain.com by using ping (example result IP: 66.96.162.136)
  2. add a custom hostname to the hosts file pointing to this ip address: 66.96.162.136 omgihazaccess
  3. open http://omgihazaccess in the browser
    Tada, no password required!

The other way around would be a little safer (require password in all cases, except when using production domain) but could still be spoofed if the attacked pointed the production hostname to the staging server ip address.

@elliotlewis

This comment has been minimized.

Show comment
Hide comment
@elliotlewis

elliotlewis Dec 10, 2014

@loekwetzels I think you're missing the vital line in there! This password protects the server, spoofing the domain name won't get around that, you'll still need to know the password.

@loekwetzels I think you're missing the vital line in there! This password protects the server, spoofing the domain name won't get around that, you'll still need to know the password.

@Risyandi

This comment has been minimized.

Show comment
Hide comment
@Risyandi

Risyandi May 19, 2018

Hopefully this is help for my staging / development sites.

Hopefully this is help for my staging / development sites.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment