Reputation: 4114
htaccess exclude multiple url from Basic Auth
Hi i need to protect my app during the testing phase.
I read this post about excluding one url from Basic Auth
But i'd like to exclude 2 urls :
/api/*
/oauth/v2/token
So the entire app will be protected except for those two urls, that will be public. Otherwise i can't access my api routes.
My .htaccess for now is :
# Protect the app with password
AuthUserFile /home/master/public_html/web/.htpasswd
AuthName "Protected"
AuthType Basic
Require valid-user
So i'm guessing i should need some sort or regex in :
SetEnvIf Request_URI ^/api/ noauth=1
How can i have like a OR condition?
Upvotes: 3
Views: 6342
Answers (3)
Reputation: 41249
Try :
SetEnvIf Request_URI ^/(api/|oauth/V2/token) noauth=1
You can exclude multiple URIs. Just seperate them using the pipe symbol |.
Upvotes: 3
Reputation: 160
Apache 2.4 Auth/Access control has changed since 2.2. Here is the new syntax:
AuthType Basic
AuthUserFile /home/master/public_html/web/.htpasswd
AuthName "Protected"
SetEnvIf Request_URI ^/(api/|oauth/V2/token) noauth=1
<RequireAny>
Require env noauth
Require env REDIRECT_noauth
Require valid-user
</RequireAny>
Upvotes: 6
Reputation: 74118
You can wrap Require inside another directive, like Directory or Location
<Location /api/>
Require all granted
</Location>
<Location /oauth/v2/token>
Require all granted
</Location>
Not asked, but Getting it working says about .htpasswd
This file should be placed somewhere not accessible from the web. This is so that folks cannot download the password file.
So you shouldn't put .htpasswd inside public_html.
Upvotes: 1
Related Questions
- How to clear basic authentication (HTTP Basic Auth) credentials in Chrome?
- How to remove .htaccess password protection from a subdirectory
- Htaccess to use the hosting for live testing
- .htaccess access control
- htacess file not working
- How to password protect an entire website but allow public access to 1 specific file