.htaccess password and IP protection doesn't work with Aegir

Hi, the idea is to protect access to website with password if visitor is not coming from local IP (192.168.1.xxx). So I tried on Quickstart (doesn't have Aegir, Drush only) to set following in .htaccess:

AuthName "Username and password required"
  AuthUserFile /home/quickstart/websites/mytestsite/.htpasswd
  AuthType Basic
  Require valid-user
  Order Deny,Allow
  Deny from all
  Allow from 192.168.1.
  Satisfy Any
And this works. Now I tried to add this in .htaccess in platform root on server where Aegir is installed but it didn't work. By "didn't work" I mean that no matter if I am external or local visitor, I get password popup.

I also tried to create file "protect_platforms" in post.d in server_master/apache folder with:

<Directory /home/testserver/websites/mytestsite>
  AuthName "Username and password required"
  AuthUserFile /home/testserver/websites/mytestsite/.htpasswd
  AuthType Basic
  Require valid-user
  Order Deny,Allow
  Deny from all
  Allow from 192.168.1.
  Satisfy Any
</Directory>
But that also didn't work. Am I missing some Aegir feature that overrides my settings? Where to look, what to try? I am out of ideas and any help is welcome. Apache version is 2.2.16-6+squeeze11, Debian 6 (later will try on Debian 7), Aegir is 1.11 (later will try on Aegir 2.1).

#1

See http://community.aegirproject.org/node/72 for how .htaccess files are handled in Aegir.

#2

Hi egronlogic, thanks a lot for a link. But unfortunately it didn't help.

Here is what I was doing:
- in platform I created .htpasswd file and in .htaccess I added on top of file what I wrote in previuos post.
- I went through platform's conf file visually to see what is currently there
- I ran Verify platform
- I even restarted LAMP (MySQL, Apache, Tomcat...)
- I checked visually again conf file in platform.d and it wasn't changed nor new entry was added there or copied from platform's .htaccess
- I went to website to try and see if in local it will allow me access without password, but it did ask me for password. Note that exactly the same .htaccess was tested in non Aegir machine and worked perfectly.

Am I missing some step? Maybe some permission? .htaccess has chown aegir:www-data as well as .htpasswd and chmod 644. Aegir is 1.11, I can even try on 2.1 instance if needed.
Thanks in advance!

#3

You could have a look at the HTTP Basic Authentication (hosting_http_basic_auth) module bundled with https://www.drupal.org/project/hosting_tasks_extra.

That's for Aegir 2.x, but the 1.x predecessor is on https://github.com/computerminds/aegir_http_basic

#4

Thanks, found that module in contributed modules page but it claims that it sets password protection per site. If I set in platform's htaccess file that means two things:
1) all sites on platform are automatically protected
2) means that platform .htacces actually works under Aegir (which I yet to confirm it; .htaccess is also used for some cache optimizations, header tuning etc)

Once again thanks, I will give a try that module none the less. :-)

#5

Okay I tried module hosting_tasks_extra on some Virtual box in local. Basically, module consists of
- backend: https://www.drupal.org/project/provision_tasks_extra
- frontend: https://www.drupal.org/project/hosting_tasks_extra

I edited one site and added username, password and custom message. It verified website. Then I went to that site in browser and no user/pass was asked. Not sure if this module is supposed to work only on external IPs and ignoring local addresses (just like I d want) or just doesn't work.

So I am still stuck with this issue. To refresh again what's this all about: I would like to add .htaccess in platform so that it allows access WITHOUT asking for user/pass those who are accessing from LOCAL but would like to ask for user/pass those who are accessing from OUTSIDE, external IP. The problem I have is that based on ergonlogic's documentation link, I don't see that Aegir copied anything into vhost file from htaccess nor htaccess entry works as expected. I enabled watchdog and confirmed that my IP address when logging in or out of Aegir is 192.168.1.xxx.

Anyone have any other idea? I would like to protect development servers (where Aegir manages platforms) from external access. Tested htaccess on non Aegir instance is posted in first post and confirmed it works.

#6

The log of a verify task for that site should show something like "Passwords path /var/aegir/config/server_master/apache/passwords.d exists.". Then you at least know the provision code is active.

Otherwise you could try to flush the drush cache (drush cache-clear drush)

#7

Thanks, it seems it is not set up correctly since in verification popup it doesn't mention any password path or anyhting similar. I also tried flushing cache and reverifying site but no luck. Probably backend of that module has a problem (I do remember it was trying to install itself in a loop when was installing via Drush). If there any instructions related to this module, link would be helpful, otherwise I d need to play with it a bit.

#8

Filling in the password can be done via the site edit form.

#9

Helmo, I believe you didn't read my the latest message right. I know where to type in password, I said that verify doesn't mention any password path setting up like you told me to in your previous post.

#10

helmo and milovan, we can confirm that https://www.drupal.org/project/hosting_tasks_extra with "HTTP Basic Authentication (hosting_http_basic_auth)" is not working. We created a bug report at https://www.drupal.org/node/2380495

#11

Thanks Francewhoa! I see it has been commited to branch 3 so I assume there won't be a backport to 2?

#12

milovan, good question :) Done. I just created a ticket about Back-port HTTP Basic Authentication fix from Aegir 3.x to 2.x at https://www.drupal.org/node/2449837 Any volunteers? To keep all in the communication loop I suggest to reply in that ticket.

We're happy to contribute testing and documentation

#13

So I did Aegir upgrade from 2.1 to 2.4 and added hosting_tasks_extra again, and enabled http basic auth. Technically it works, you go to site, it asks for user / pass, then you try /user which is on SSL and again it asks for user / pass. Okay, not a big issue. But then I simply closed browser (Firefox) without clearing browser cache, and opened it again, went to site and it asked me for a user / pass again. Now, devs periodically clear browser caches per day and I can see them already complaining how PITA this HTTP basic auth is because they have to enter user / pass many times per day.

Additionally, this module is still not allowing those with internal IPs to approach site without user / pass and only to ask those with external IPs (look first post).

Is someone still working on this module? Does this kind of feature request makes sense? I might be able to contribute such a feature extension if no one plans to complete http authentication feature. I really need password protected setup on development servers from external approaches (unless we set some IP Whitelist for those with home static IPs for example or some other office), but unfortunately Aegir keeps ignoring .htaccess in platform's root so I have to see how to solve this (for problems and testing results please read first post and few below).