A customer asked us to secure their development environment using .htaccess and .htpassword functionalities. They wanted the ability to browse the site from their own IP addresses without inputting a password. This is of course achievable with Apache's standard functionality, however when particularly complex .htaccess files are used, one may run in to issues with overlapping rules unless specific measures are taken.
Ordinarily we would use this standard .htaccess ruleset to achieve password protection with allow IP overrides:
AuthType Basic
AuthName "Development Environment"
AuthUserFile "/path/to/.htpasswd"
require valid-user
Order allow,deny
Allow from 192.168.30.40
satisfy any
The above is designed for Apache 2.2 and while it will still work on Apache 2.4 certain functionality is different and may cause problems. In particular, unless it is wrapped inside an <if> then one may experience problems. So, here is our proposed solution:
<If "%{REMOTE_ADDR} != '127.0.0.1'">
AuthType Basic
AuthName "Development Environment"
AuthUserFile /path/to/.htpasswd
require valid-user
require ip 192.168.30.40
require ip 10.0.0.101
require ip 172.17.1.120
</If>
With this solution, we are containing all of our code within an block which will not affect any of the .htaccess content above nor below. We are allowing the local host 127.0.0.1 full access as it probably should, and then using 'require ip' rules to allow additional addresses access.
