Bypass basic authentication for referrer

Question

I have made a terrible, terrible piece of htaccess code as a stop-gap to keep us going, but terrible code makes everyone unhappy. So here it is:

DomainA.com hosts some code we need to pull into DomainB.com and all subdomains of DomainB.com.

Here is the terrible code we came up with and slapped on DomainA.com's htaccess file that works:

<If "%{HTTP_REFERER} == 'https://DomainB.com/testpage1.php'">
</If>

<ElseIf "%{HTTP_REFERER} == 'https://DomainB.com/testpage2.php'">
</ElseIf>

<ElseIf "%{HTTP_REFERER} == 'https://DomainB.com/testpage3.php'">
</ElseIf>

<Else>
AuthType Basic
AuthName "Our Walled Garden - Login Credentials Required"
AuthUserFile /path/to/.htpasswd
Require valid-user
</Else>

Can you help us trim this down so that we don't have to define the protocol or specific subdomain for the request? I've messed around with some regex, I can't get even simple regex matches to work in the IF block.

Answer 1

If you want to use regular expressions, you could use SetEnvIf instead together with an addition Require clause.

Maybe something like:

SetEnvIfNoCase Referer ^https://DomainB\.com/(testpage1|testpage2|testpage3)\.php$ noauth=1

AuthType Basic
AuthName "Our Walled Garden - Login Credentials Required"
AuthUserFile /path/to/.htpasswd
Require valid-user
Require env noauth

When there are multiple Require directives, they are automatically grouped as "Require Any" (See Require apache 2.4 docs ).

The Setenv directive matches against the referer, and if that matches the "noauth" env variable gets set. Then the require directives say either a valid-user or noauth env variable will satisfy the access.

Note that the referer can be easily forged, so this isn't exactly very secure.