Apache 2.2 htaccess Require Password and IP Address

3
votes

In htaccess using Apache 2.2.x, is there a way to require a password and a certain IP address, and block outright everyone else?

I've tried all the Allow/Deny/Require/Satisfy combinations I could find or try. Maybe someone here has the answer? I did an extensive search but everyone is looking to allow bypassing a password for certain IP addresses, not demanding an IP and password.

1
apache.htaccessapache2.2
Is there any specific reason why you want to block the ip directly from the server and not through an app? - mkmnstr
Yes, this is a pre-authorization setup to allow access to a WordPress wp-login.php file. Currently I have it set up to require a login/password in Apache before people get to the wordpress login, to block WP brute force attacks, but for some domains I want to restrict it even further to just my IP address. - G Piper
As a side note... I did find a way to accomplish this but not just using Apache. I use nginx (running as a proxy) to block all but certain IP addresses before passing the proxy through to Apache which then requires the password. Problem solved, kinda. - G Piper

1 Answers

3
votes

I would suggest setting up your configuration to require just a password first, and once you have that working as intended. Add the correct allow from directive to the htaccess file. For example

Allow from 192.168.0.0

You should not need to add anything else as Satisfy All is the default, but if you are still having problems add this as well.

If you are still having problems show us the htaccess file and check the rest of your config for overriding configuration.

New config based on discussion below:

<Location />
  Order allow,deny
  AuthType Basic
  AuthName "Restricted Files"
  AuthBasicProvider file
  AuthUserFile /path/to/htpasswd
  Require valid-user
  Satisfy all
  Allow from 127.0.0.1
</Location>

Additional info, doesn't need the <Location> block if in htaccess