I have a domain (also folder structure) *.dev.xxx. I need to make a htpasswd that will require credentials on every site on that domain.
My .htaccess
AuthType Basic
AuthName "test"
AuthUserFile /var/www/dev/.htpasswd
Require valid-user
But when the subdomain has its own htaccess it overrides this one and it works without authorization.
Is there a way to force it to authorize?
Thank you for answers.
Browsers will treat different sub-domains as completely different authentication scopes. This is done for security reasons, to prevent password phishing via IP/domain spoofing. Thus it is not possible to do this via .htaccess, except as M1K1O stated earlier:
Simply put your .htaccess in the parent folder of sub and web.
...then prevent and exclude any .htaccess auth declarations in the subfolders.
However, if you are very careful about it, there may be a server-side method of handling it in apache hosts.
<VirtualHost [your-ip]:80>
ServerAdmin [email protected]
DocumentRoot /var/www/dev/
ServerName www.dev.domain.com
ServerAlias *.dev.domain.com
...
# Add to any your virtual host entries:
<Location /var/www/dev>
AuthName "test"
AuthType Digest
AuthDigestAlgorithm MD5
AuthDigestDomain / http://www.dev.domain.com/ http://other.dev.domain.com/
AuthDigestQop auth
AuthDigestProvider file
AuthUserFile /var/www/dev/.htpasswd
</Location>
</VirtualHost>
One major drawback to this method is that AuthDigestDomain does not support any wildcards. i.e.: every expected subdomain must be explicitly declared, rather than using http://*.dev.domain.com/
This route is one I've considered in the past, but have yet to delve into due to the long list of security implications.