0

I know that the question has been asked here : htaccess exclude multiple url from Basic Auth but in the answer I didn't find the solution my problem so I reask here.

I want to block access to the root of a project in with htpasswd except for api url (it's not an existing folder but an endpoint controlled by index.php).

So far here is what I use for the htaccess : 

<Location />
AuthType Basic
AuthName "Auth Required"
AuthUserFile /home/user/.htpasswd
Require valid-user
SetEnvIf Request_URI "(api|oauth)$" allow
Order allow,deny
Allow from env=allow
Satisfy any
</Location>

=> the htpasswd works but it blocks /api/xxx too.

Can somebody help me to correct that ?

injetkilo
  • 300
  • 2
  • 10

1 Answers1

0

You can use it like this:

SetEnvIf Request_URI "/(api|oauth)(/.*)?$" allow

AuthType Basic
AuthName "Auth Required"
AuthUserFile /home/user/.htpasswd
Require valid-user
Satisfy any
Order      deny,allow
Deny from  all
Allow from env=allow

Also note that the <Location> directive is not allowed in .htaccess.

anubhava
  • 761,203
  • 64
  • 569
  • 643
  • Hi @anubhava, it still ask me for an authentification when I go for exemple in : /api/v3/docs => the Location directive is in the apache2 conf and not in a htaccess – injetkilo Jan 15 '18 at 14:54
  • I have tested this exact code in my root .htaccess and `/api/v3/docs` gets loaded without authentication. I suspect you have more rewrite rules somewhere that are rewriting `/api/v3/docs` type URIs to a front controller e.g. `index.php` – anubhava Jan 15 '18 at 16:53
  • Indeed => do you know a way to handle that ? Thanks for your time – injetkilo Jan 17 '18 at 13:16
  • 1
    Try: `SetEnvIf Request_URI "/(index\.php|api|oauth)(/.*)?$" allow` – anubhava Jan 17 '18 at 14:14