htaccess exclude one url from Basic Auth

Question

I need to exclude one Url (or even better one prefix) from normal htaccess Basic Auth protection. Something like /callbacks/myBank or /callbacks/.*

Answer 1

This solution works pretty well, you just need to define whitelist you want to pass through.

SetEnvIfNoCase Request_URI "^/status\.php" noauth

AuthType Basic
AuthName "Identify yourself"
AuthUserFile /path/to/.htpasswd
Require valid-user

Order Deny,Allow
Deny from all
Allow from env=noauth

Satisfy any

Answer 2

<location />
        SetEnvIf Request_URI "/callback/.*" REDIRECT_noauth=1

        AuthType Basic
        AuthName "Restricted Files"
        AuthUserFile /etc/httpd/passwords/passwords
        Order Deny,Allow
        Satisfy any
        Deny from all
        Allow from env=REDIRECT_noauth
        Require user yournickname
</location>

Answer 3

If you are using Apache 2.4, SetEnvIf and mod_rewrite workarounds are no longer necessary since the Require directive is able to interpret expressions directly:

AuthType Basic
AuthName "Please login."
AuthUserFile "/xxx/.htpasswd"

Require expr %{REQUEST_URI} =~ m#^/callbacks/.*#
Require valid-user

Apache 2.4 treats Require directives that are not grouped by <RequireAll> as if they were in a <RequireAny>, which behaves as an "or" statement. Here's a more complicated example that demonstrates matching both the request URI and the query string together, and falling back on requiring a valid user:

AuthType Basic
AuthName "Please login."
AuthUserFile "/xxx/.htpasswd"

<RequireAny>
    <RequireAll>
        # I'm using the alternate matching form here so I don't have
        # to escape the /'s in the URL.
        Require expr %{REQUEST_URI} =~ m#^/callbacks/.*#

        # You can also match on the query string, which is more
        # convenient than SetEnvIf.
        #Require expr %{QUERY_STRING} = 'secret_var=42'
    </RequireAll>

    Require valid-user
</RequireAny>

This example would allow access to /callbacks/foo?secret_var=42 but require a username and password for /callbacks/foo.

Remember that unless you use <RequireAll>, Apache will attempt to match each Require in order so think about which conditions you want to allow first.

The reference for the Require directive is here: https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#require

And the expression reference is here: https://httpd.apache.org/docs/2.4/expr.html

Answer 4

Add below code to your root htaccess file and don't forget to change your admin url, .htpasswd file page.

<Files "admin.php">
        AuthName "Cron auth"
        AuthUserFile E:\wamp\www\mg\.htpasswd
        AuthType basic
        Require valid-user
    </Files>

Create .htpasswd file in your root folder and add below username and password (set default username:admin and password: admin123)

admin:$apr1$8.nTvE4f$UirPOK.PQqqfghwANLY47.

Please let me know if you still facing any issue.

Answer 5

why don't you just use basic auth the way it was intended?

user:password@domain.com/callbacks/etc

Answer 6

I tried the other solutions but this is what worked for me. Hopefully it will be of help to others.

# Auth stuff
AuthName "Authorized personnel only."
AuthType Basic
AuthUserFile /path/to/your/htpasswd/file

SetEnvIf Request_URI "^/index.php/api/*" allow
Order allow,deny
Require valid-user
Allow from env=allow
Deny from env=!allow
Satisfy any

This will allow the api url and any url string after /index.php/api/ to open without having to login and anything else will be prompted to login.

Example:

mywebsite.com/index.php/api will open without being prompted to login mywebsite.com/index.php/api/soap/?wsdl=1 will open without being prompted to login mywebsite.com will be prompted to login first