Enhance add_http_auth.sh script to support IP-based access control and Apache version compatibility. Update README files to reflect new features and usage instructions.

Author: herewithme

README.md

@@ -10,7 +10,7 @@ This repository contains a collection of bash scripts organized by category:
 
 Scripts for managing HTTP authentication in web servers.
 
-- [add_http_auth.sh](http-auth/add_http_auth.sh) - Add HTTP Basic authentication to an .htaccess file
+- [add_http_auth.sh](http-auth/add_http_auth.sh) - Add HTTP Basic authentication to an .htaccess file with support for IP-based access control and compatibility with both Apache 2.2 and 2.4
 
 ## Installation
 

http-auth/README.md

@@ -16,6 +16,8 @@ A bash script to easily add HTTP Basic authentication to an .htaccess file.
 - Allows customization of username
 - Provides interactive or command-line password entry
 - Supports multiple encryption methods (bcrypt, md5, sha1)
+- Allows specific IP addresses to bypass authentication
+- Compatible with both Apache 2.2 and 2.4 syntax
 
 ## Requirements
 
@@ -61,6 +63,7 @@ This will:
 - Set up authentication with default values (username: admin)
 - Prompt you to enter a password
 - Use bcrypt encryption (most secure)
+- Use Apache 2.4 syntax (default)
 
 ### Command-line Options
 
@@ -72,6 +75,8 @@ Options:
   -u, --user      Username (default: 'admin')
   -s, --password  Password (if not specified, it will be asked interactively)
   -e, --encrypt   Encryption method: md5, bcrypt, sha1 (default: 'bcrypt')
+  -i, --ip        Comma-separated list of IP addresses allowed without authentication
+  -a, --apache    Apache version: 2.2 or 2.4 (default: '2.4')
   -h, --help      Display this help
 ```
 
@@ -101,10 +106,22 @@ Options:
 ./add_http_auth.sh -e md5
 ```
 
+#### Allow specific IP addresses to bypass authentication:
+
+```bash
+./add_http_auth.sh -i "192.168.1.100,10.0.0.5"
+```
+
+#### Specify Apache version (for older servers):
+
+```bash
+./add_http_auth.sh -a 2.2
+```
+
 #### Full example with all options:
 
 ```bash
-./add_http_auth.sh -f /var/www/html/.htaccess -p /etc/apache2/.htpasswd -u webmaster -s "my_secure_password" -e bcrypt
+./add_http_auth.sh -f /var/www/html/.htaccess -p /etc/apache2/.htpasswd -u webmaster -s "my_secure_password" -e bcrypt -i "192.168.1.100,10.0.0.5" -a 2.4
 ```
 
 ## How It Works
@@ -113,7 +130,8 @@ Options:
 2. It then checks if the .htaccess file already exists and if authentication is already configured
 3. If a password is not provided as an argument, it prompts the user to enter one
 4. It creates or updates the .htpasswd file with the username and hashed password
-5. Finally, it adds the necessary authentication directives to the .htaccess file
+5. If IP addresses are specified, it adds rules to allow those IPs to bypass authentication
+6. Finally, it adds the necessary authentication directives to the .htaccess file
 
 ## Encryption Methods
 
@@ -123,13 +141,49 @@ The script supports three encryption methods:
 2. **md5**: Compatible with most servers, requires the `openssl` command
 3. **sha1**: Stronger than md5 but less secure than bcrypt, requires the `openssl` command
 
+## IP-Based Access
+
+When you specify IP addresses with the `-i` option, the script adds rules to the .htaccess file that allow those IPs to access the protected content without authentication. This is useful for:
+
+- Office networks where you want to allow access without prompting for credentials
+- Development or staging environments where you want to restrict access but allow certain IPs
+- Monitoring services that need to access the site without authentication
+
+The IP addresses should be provided as a comma-separated list without spaces, for example: `192.168.1.100,10.0.0.5`
+
+## Apache Version Compatibility
+
+The script supports both Apache 2.2 and Apache 2.4 syntax for access control:
+
+### Apache 2.2 Syntax
+
+```apache
+SetEnvIf Remote_Addr "^(192\.168\.1\.100|10\.0\.0\.5)$" ALLOW_ACCESS
+Order deny,allow
+Deny from all
+Allow from env=ALLOW_ACCESS
+Satisfy any
+```
+
+### Apache 2.4 Syntax
+
+```apache
+<RequireAny>
+    Require ip 192.168.1.100 10.0.0.5
+    Require valid-user
+</RequireAny>
+```
+
+By default, the script uses Apache 2.4 syntax. If you're using an older Apache server (version 2.2), specify `-a 2.2` when running the script.
+
 ## Security Considerations
 
 - When using the `-s` option to specify a password on the command line, be aware that the password may be visible in the process list or command history
 - For production environments, it's recommended to use the interactive password prompt
 - Make sure the .htpasswd file is stored in a location not accessible from the web
 - Ensure proper file permissions are set on both .htaccess and .htpasswd files
 - Use bcrypt encryption when possible for better security
+- Be careful when allowing IP addresses to bypass authentication, as IP addresses can be spoofed
 
 ## Troubleshooting
 
@@ -149,6 +203,14 @@ The script supports three encryption methods:
    - Ensure your web server is configured to allow .htaccess overrides
    - Check that the path to the .htpasswd file in the .htaccess is correct and accessible by the web server
 
+5. **IP-based access not working**
+   - Make sure your Apache server has the required modules enabled:
+     - For Apache 2.2: `mod_setenvif`, `mod_authz_host`
+     - For Apache 2.4: `mod_authz_core`, `mod_authz_host`
+   - Check that you're using the correct IP address format
+   - Verify that your server is properly detecting the client's IP address
+   - Ensure you're using the correct Apache version syntax (`-a 2.2` or `-a 2.4`)
+
 ## License
 
 This script is released under the MIT License. See the LICENSE file for details.

http-auth/add_http_auth.sh

@@ -12,6 +12,8 @@ show_help() {
     echo "  -u, --user      Username (default: 'admin')"
     echo "  -s, --password  Password (if not specified, it will be asked interactively)"
     echo "  -e, --encrypt   Encryption method: md5, bcrypt, sha1 (default: 'bcrypt')"
+    echo "  -i, --ip        Comma-separated list of IP addresses allowed without authentication"
+    echo "  -a, --apache    Apache version: 2.2 or 2.4 (default: '2.4')"
     echo "  -h, --help      Display this help"
     exit 0
 }
@@ -74,12 +76,53 @@ generate_htpasswd_entry() {
     esac
 }
 
+# Function to generate IP-based access rules
+generate_ip_rules() {
+    local ip_list="$1"
+    local apache_version="$2"
+    local rules=""
+    
+    # If IP list is empty, return empty rules
+    if [ -z "$ip_list" ]; then
+        echo ""
+        return
+    fi
+    
+    # Format the IP list for use in the rules
+    # Replace commas with spaces for Apache 2.4 Require ip directive
+    local formatted_ip_list=${ip_list//,/ }
+    
+    # Start the rules block
+    rules="# Allow access from specific IP addresses without authentication\n"
+    
+    if [ "$apache_version" = "2.2" ]; then
+        # Apache 2.2 syntax
+        # Replace spaces with | for regex OR
+        local regex_ip_list=${ip_list//,/|}
+        rules="${rules}SetEnvIf Remote_Addr \"^(${regex_ip_list})$\" ALLOW_ACCESS\n"
+        rules="${rules}Order deny,allow\n"
+        rules="${rules}Deny from all\n"
+        rules="${rules}Allow from env=ALLOW_ACCESS\n"
+        rules="${rules}Satisfy any\n\n"
+    else
+        # Apache 2.4 syntax using RequireAny
+        rules="${rules}<RequireAny>\n"
+        rules="${rules}    Require ip ${formatted_ip_list}\n"
+        rules="${rules}    Require valid-user\n"
+        rules="${rules}</RequireAny>\n\n"
+    fi
+    
+    echo -e "$rules"
+}
+
 # Default values
 HTACCESS_FILE="./.htaccess"
 HTPASSWD_FILE="./.htpasswd"
 USERNAME="admin"
 PASSWORD=""
 ENCRYPT_METHOD="bcrypt"
+ALLOWED_IPS=""
+APACHE_VERSION="2.4"
 
 # Process arguments
 while [[ $# -gt 0 ]]; do
@@ -104,6 +147,14 @@ while [[ $# -gt 0 ]]; do
             ENCRYPT_METHOD="$2"
             shift 2
             ;;
+        -i|--ip)
+            ALLOWED_IPS="$2"
+            shift 2
+            ;;
+        -a|--apache)
+            APACHE_VERSION="$2"
+            shift 2
+            ;;
         -h|--help)
             show_help
             ;;
@@ -120,6 +171,12 @@ if [[ ! "$ENCRYPT_METHOD" =~ ^(md5|bcrypt|sha1)$ ]]; then
     exit 1
 fi
 
+# Validate Apache version
+if [[ ! "$APACHE_VERSION" =~ ^(2.2|2.4)$ ]]; then
+    echo "Error: Invalid Apache version. Valid options are: 2.2, 2.4"
+    exit 1
+fi
+
 # Convert to absolute paths without using realpath
 HTACCESS_PATH=$(get_absolute_path "$HTACCESS_FILE")
 HTPASSWD_PATH=$(get_absolute_path "$HTPASSWD_FILE")
@@ -176,20 +233,43 @@ fi
 echo "Generating entry for user '$USERNAME' in the .htpasswd file using $ENCRYPT_METHOD encryption."
 generate_htpasswd_entry "$USERNAME" "$PASSWORD" "$ENCRYPT_METHOD" > "$HTPASSWD_PATH"
 
+# Generate IP-based access rules if IPs are provided
+IP_RULES=""
+if [ -n "$ALLOWED_IPS" ]; then
+    echo "Configuring access without authentication for IPs: $ALLOWED_IPS (Apache $APACHE_VERSION syntax)"
+    IP_RULES=$(generate_ip_rules "$ALLOWED_IPS" "$APACHE_VERSION")
+fi
+
 # Add authentication configuration to the .htaccess file
 cat << EOF >> "$HTACCESS_PATH"
 
 # HTTP Basic Authentication Configuration
 AuthType Basic
 AuthName "Restricted Area"
 AuthUserFile "$HTPASSWD_PATH"
-Require valid-user
-
 EOF
 
+# For Apache 2.4 without IP rules or Apache 2.2, we need to add Require valid-user
+if [ -z "$ALLOWED_IPS" ]; then
+    if [ "$APACHE_VERSION" = "2.4" ]; then
+        echo "Require valid-user" >> "$HTACCESS_PATH"
+    elif [ "$APACHE_VERSION" = "2.2" ]; then
+        echo "Require valid-user" >> "$HTACCESS_PATH"
+    fi
+fi
+
+# Add IP rules if any
+if [ -n "$IP_RULES" ]; then
+    echo -e "$IP_RULES" >> "$HTACCESS_PATH"
+fi
+
 echo "HTTP Basic authentication successfully added to the .htaccess file."
 echo "Username: $USERNAME"
 echo "Encryption method: $ENCRYPT_METHOD"
 echo "Password file: $HTPASSWD_PATH"
+echo "Apache version: $APACHE_VERSION"
+if [ -n "$ALLOWED_IPS" ]; then
+    echo "IPs allowed without authentication: $ALLOWED_IPS"
+fi
 
 exit 0