How to make Basic Auth exclude a rewritten URL

Asked 19/12, 2012 at 10:25 Answered 21/6, 2013 at 15:10

Solved apache .htaccess authentication mod-rewrite .htpasswd

I have a Basic Authentication setup on a development server. It is setup inside my httpd.conf file for the VirtualHost of the website. I've had to set up it to exclude certain directories, which has caused no problems and all works fine.

The issue has been with excluding a URL that has been through my mod_rewrite rules in the .htaccess file. My set up is that I have all URLs going through my index.php file and from there the relevant code is found and ran. I tried adding the URL that I wanted to exclude (/businesses/upload_logo) like I did the others but it still requires authentication. This is what I currently have:

...
<Location />
    SetEnvIf Request_URI "/businesses/upload_logo" noauth=1
    SetEnvIf Request_URI "/api/.*" noauth=1

    AuthType Basic
    AuthName "Private"
    AuthUserFile ****
    Require valid-user

    Order deny,allow
    Satisfy any
    Deny from all
    Allow from env=noauth
</Location>
....

I have found questions that are similar to mine here & here but the answers only give me what I'm already trying.

I have thought of possible other solutions as well, but these will be last resort things. I want to see if it's possible the way I'm currently doing it:

Set up the basic auth inside my php code instead
- Too much hassle at the moment
Put the authentication in my .htaccess file instead
- Didn't want to do this just yet as I only want the authentication to happen on one of 3 servers. I'm aware that I could use some more SetEnvIf HOST ... but I'm looking to see if it can be fixed this way or not first.

The mod_rewrite rule:

...

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule (.*) index.php [L,QSA]

Handfasting answered 19/12, 2012 at 10:25 Comment(7)

Interesting. At first I thought it'd be doable by setting noauth in the rewriteRule: RewriteRule ^upload_logo$ index.php [E=noauth:1], but that's a dead end, because of the visibility of env vars. The whole thing seems to arise because of the evaulation order of auth and mod_rewrite directives. It'd be nice if someone shed some light on this. – Branny 19/12, 2012 at 14:16

@SáT Yeah, I came to the same conclusion as you about the fact that it's the order of the auth and mod_rewrite rules being evaluated. – Handfasting 19/12, 2012 at 15:46

Would you mind if I put a bounty on this? – Branny 21/12, 2012 at 14:29

No I don't mind. Would appreciate it. – Handfasting 21/12, 2012 at 14:50

Could you also post the htaccess? – Corrientes 22/12, 2012 at 21:15

Just to be sure; the exclusion of some urls worked, until you added the htaccess? – Corrientes 22/12, 2012 at 21:16

@Corrientes The exclusion of files/directories that exist work fine. It appears to be only on URLs that are rewritten through mod_rewrite. I will update my question to include the RewriteRule that's causing the issues a bit later when I'm near my computer. – Handfasting 22/12, 2012 at 21:43

Try adding

Allow from env=REDIRECT_noauth

Corrientes answered 23/12, 2012 at 11:6 Comment(6)

Oh boy, how could I have forgotten that! Yes, the names of environmental variables set by RewriteRules are prefixed with REDIRECT_ (which is a nuisance). @Josh, you could set the env var in the .htaccess: RewriteRule ^upload_logo$ index.php [E=noauth:1,L,QSA], then allow from REDIRECT_noauth. Alternatively, and this may be a better approach, you could do something like RewriteRule ^(.*)$ index.php [E=orig:%{REQUEST_URI}], then in the httpd.conf: SetEnvIf REDIRECT_orig "/?businesses/upload_logo" noauth=1. – Branny 27/12, 2012 at 15:17

I tried using both of your suggestions but I am unable to get it to work. I tried simplifying your idea @SáT by having [E:orig:foo] in my .htaccess rule and then using SetEnvIf REDIRECT_orig "foo" noauth=1 (this should mean that all requests don't require a password) and I couldn't get it to work. – Handfasting 7/1, 2013 at 9:37

So what would be full config? – Claraclarabella 21/6, 2013 at 14:58

@Claraclarabella just take the code from the question, but replace the second last line. – Corrientes 21/6, 2013 at 20:39

I love your Gerben. Saved my day. – Cuthbertson 4/12, 2014 at 10:56

>but replace the second last line - don't replace, but add – Trachyte 24/6, 2016 at 13:5

For me something like this works like a charm:

<location />
        SetEnvIf Request_URI "/businesses/upload_logo" REDIRECT_noauth=1
        AuthType Basic
        AuthName "Restricted Files"
        AuthUserFile /etc/httpd/passwords/passwords
        Order Deny,Allow
        Satisfy any
        Deny from all
        Allow from env=REDIRECT_noauth
        Require user yournickname
</location>

Claraclarabella answered 21/6, 2013 at 15:10 Comment(0)

-1

based on what you have given it should work, unless there is a conflicting directive somewhere else in your configuration.

i have made a similar working setup , just i have used filesystem path instead of URI

i am adding it here, hoping you may find it useful

<VirtualHost *:8989 >
<IfModule mod_auth_basic.c>
 <Directory /var/www/html/vella-8989>
  # the auth block
  AuthType Basic
  AuthName "Please login."
  AuthUserFile /var/www/html/vella-8989/.htpasswd
  require valid-user

  Order Deny,Allow
  Satisfy any
  Deny from all
  Require valid-user
  Allow from env=noauth
</Directory>
</IfModule>
  # set an environtment variable "noauth" if the request has "/callbacks/"
  SetEnvIf Request_URI "/callbacks/" noauth=1
  ServerName vella.com
  ServerSignature off
</VirtualHost>

Anthropolatry answered 21/12, 2012 at 19:0 Comment(2)

This is so bad - you have htpasswd file inside your /var/www/html directory. – Claraclarabella 21/6, 2013 at 14:55

@Claraclarabella why is it so bad? – Turbellarian 18/7, 2023 at 9:20

Recommended topics

Hot tags