Rudecles
Reputation: 199
Apache 2.4 .htaccess Basic auth bypass by Request_URI
I have a PHP app running with Silex which is protected with basic auth but I need a section of the app to not ask for a password. I can do this in Apache 2.2 but it doesn't seem to work with 2.4. Here's my .htaccess
SetEnvIf Request_URI ^/register noauth=1
AuthType Basic
AuthName "Auth"
AuthUserFile /path/to/.htpasswd
Order Deny,Allow
Satisfy any
Deny from all
Require valid-user
Allow from env=noauth
I know Apache 2.4 has a different way of doing this, anyone know how?
Upvotes: 2
Views: 3726
Answers (1)
Rudecles
Reputation: 199
If anyone is interested, I fixed it like this:
SetEnvIf Request_URI /register noauth=1
AuthType Basic
AuthName "Auth"
AuthUserFile /path/to/.htpasswd
<RequireAny>
Require env noauth
Require valid-user
</RequireAny>
Upvotes: 5
Related Questions
- basic auth does not work in apache 2.4
- Apache 2.4: AuthType Basic and REQUEST_URI - Comparisons (with or without regular expr.) do not work properly
- Apache Basic Auth only for Requests with URL Path
- apache basic auth breaks rewrite in .htaccess
- htaccess Authentication with PHP
- Bypass basic authentication for referrer
- Bypassing AuthType with url parameter in Request_URI using htaccess
- Use basic auth for different URIs in a .htaccess file
- How to make Basic Auth exclude a rewritten URL
- .htaccess authentication with nginx