.htaccess protect symlinked TYPO3 backend

Question

I'm trying to protect an older TYPO3 8.7 backend (/typo3) via an AuthType basic part in the normal TYPO3 .htaccess file. I always end up with internal server errors. Has anyone done this before? Is it possible that this could not wor with the symlinks?

I am puting this part of code on top of my .htaccess (before all the rwrite stuff starts):

    SetEnvIf Request_URI ^.*/typo3.* require_auth=true
    AuthType basic
    AuthName "Admin Schutz"
    AuthUserFile /usr/etc/.htpasswd
    #Order Deny,Allow
    #Deny from all
    #Satisfy any
    Require valid-user
    Allow from env=!require_auth

Thanks for any hints!

Answer 1

Should work with:

AuthType        basic
AuthName        "Secret area!"
AuthUserFile    /usr/etc/.htpasswd
require         valid-user
Order           deny,allow
Deny            from all
Satisfy         ANY

An internal server error is thrown, eg if your path to the AuthUserFile isn't correct.

Here i've written down my snippet for my personal public documentation: https://www.entwicklertools.de/snippet-sammlung/htaccess-snippets/passwortschutz-einrichten/

Answer 2

Assuming that your /usr/etc/.htpasswd file is accessible and valid (created properly with htpasswd command and chmoded to 644 ) your sample should work for Apache 2.2 , but not in Apache 2.4 according to comments in this post . Literally in 2.4 it will work, but will require password also for your root domain.

There are two solutions. First is placing additional .htaccess files in your typo3 directory with simple rule, ie as shown by @Naderio :

AuthType        basic
AuthName        "Secret area!"
AuthUserFile    /usr/etc/.htpasswd
require         valid-user
Order           deny,allow
Deny            from all
Satisfy         ANY

However, if you created a typo3 symlink to sources as suggested in TYPO3's documentation and/or you don't want to require BasicAuth for all projects which uses the same sources, you can override these settings directly in VHOST configuration like (assuming that you have all your TYPO3 projects ie in /www/typo3/ folder:

<VirtualHost *:80>

    ServerAdmin your@email.tld
    DocumentRoot "/www/typo3/project-x.loc"
    ServerName project-x.loc

    # below your valid paths for log files...
    # ErrorLog "logs/project-x.loc-error_log"
    # CustomLog "logs/project-x.loc-access_log" common
    
    <Directory "/www/typo3/project-x.loc">
        Options Indexes FollowSymLinks ExecCGI Includes
        AllowOverride All
        Require all granted
    </Directory>
    
    <Directory "/www/typo3/project-x.loc/typo3">
        AuthType        basic
        AuthName        "Restricted in VHOST config!"
        AuthUserFile    /usr/etc/.htpasswd
        require         valid-user
        Order           deny,allow
        Deny            from all
        Satisfy         ANY
    </Directory>
    
</VirtualHost>

Note: I'd check anyway if the path you are trying to use /usr/etc/ is accessible for Apache at all, maybe it will be better moving your .htpasswd file somewhere closer to your www structure like to folder /www/etc/ and fix the above rules accordingly?

Answer 3

Thanks to all replies.

finally we also did this in the vhost by the following code using the "location"-tag.

 <Location /typo3/>
            AuthType Basic
            AuthName "Enter Password"
            AuthUserFile /www_data/.htpasswd4xyz
            Require valid-user
    </Location>

Answer 4

In case you can't edit the vhost config, this line shoud work istead of your SetEnvIf in your .htaccess, intoo:

SetEnvIfNoCase Request_URI ^/typo3/$ require_auth=true