Reputation: 1804
How to make Basic Auth exclude a rewritten URL
I have a Basic Authentication setup on a development server. It is setup inside my httpd.conf file for the VirtualHost of the website. I've had to set up it to exclude certain directories, which has caused no problems and all works fine.
The issue has been with excluding a URL that has been through my mod_rewrite rules in the .htaccess file. My set up is that I have all URLs going through my index.php file and from there the relevant code is found and ran. I tried adding the URL that I wanted to exclude (/businesses/upload_logo) like I did the others but it still requires authentication. This is what I currently have:
...
<Location />
SetEnvIf Request_URI "/businesses/upload_logo" noauth=1
SetEnvIf Request_URI "/api/.*" noauth=1
AuthType Basic
AuthName "Private"
AuthUserFile ****
Require valid-user
Order deny,allow
Satisfy any
Deny from all
Allow from env=noauth
</Location>
....
I have found questions that are similar to mine here & here but the answers only give me what I'm already trying.
I have thought of possible other solutions as well, but these will be last resort things. I want to see if it's possible the way I'm currently doing it:
- Set up the basic auth inside my php code instead
- Too much hassle at the moment
- Put the authentication in my
.htaccessfile instead- Didn't want to do this just yet as I only want the authentication to happen on one of 3 servers. I'm aware that I could use some more
SetEnvIf HOST ...but I'm looking to see if it can be fixed this way or not first.
- Didn't want to do this just yet as I only want the authentication to happen on one of 3 servers. I'm aware that I could use some more
The mod_rewrite rule:
...
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule (.*) index.php [L,QSA]
Upvotes: 14
Views: 12873
Answers (3)
Reputation: 4128
For me something like this works like a charm:
<location />
SetEnvIf Request_URI "/businesses/upload_logo" REDIRECT_noauth=1
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/httpd/passwords/passwords
Order Deny,Allow
Satisfy any
Deny from all
Allow from env=REDIRECT_noauth
Require user yournickname
</location>
Upvotes: 2
Reputation: 121
based on what you have given it should work, unless there is a conflicting directive somewhere else in your configuration.
i have made a similar working setup , just i have used filesystem path instead of URI
i am adding it here, hoping you may find it useful
<VirtualHost *:8989 >
<IfModule mod_auth_basic.c>
<Directory /var/www/html/vella-8989>
# the auth block
AuthType Basic
AuthName "Please login."
AuthUserFile /var/www/html/vella-8989/.htpasswd
require valid-user
Order Deny,Allow
Satisfy any
Deny from all
Require valid-user
Allow from env=noauth
</Directory>
</IfModule>
# set an environtment variable "noauth" if the request has "/callbacks/"
SetEnvIf Request_URI "/callbacks/" noauth=1
ServerName vella.com
ServerSignature off
</VirtualHost>
Upvotes: -1
Related Questions
- Excluding a specific URL from HTTP Basic Auth - mod_rewrite causing problems
- htaccess exclude multiple url from Basic Auth
- htaccess exclude one url from Basic Auth
- Cannot exclude route from http basic auth
- HTTP Basic Auth Exclude Single File
- .htaccess - Disable basic auth for specific path
- mod_rewrite breaks http basic auth
- Apache Basic Auth only for Requests with URL Path
- apache basic auth breaks rewrite in .htaccess
- Using Basic Authentication (htaccess) to restrict access to a specific URL