8

I try to exclude a sub-url "/shop/api" from my protected website. It worked fine on different server on Apache/2.2.15 but now not with Apache/2.4.7? It always asks for the basic authentication. Any Idea what I did wrong?

AuthType Basic
AuthName 'Authentication required'
AuthUserFile /var/www/vhosts/pwd/.htpasswd

# Allow access to excluded diretories
SetEnvIf Request_URI ^/shop/api/  noauth=1
Order deny,allow
Satisfy any
Deny from all
Require valid-user
Allow from env=noauth
megloff
  • 373
  • 3
  • 10
  • I am not clear on what you want to happen. Is your goal to have all directories protected by basic auth, with the exception of `/shop/api` which should allow anybody in without authentication? – Jenny D Sep 26 '15 at 16:40
  • yes exactly on `/shop/api` is running a php app which uses their own custom authentication – megloff Sep 26 '15 at 16:43
  • 1
    The Auth/Access control stuff has been changed considerably in 2.4 you'll need to re-engineer your configuration. – user9517 Sep 26 '15 at 17:12

1 Answers1

11

as "lain" pointed out the apache 2.4 Auth/Access control stuff has changed since 2.2. So I needed to modify it as follows:

AuthType Basic
AuthName 'Authentication required'
AuthUserFile /var/www/vhosts/pwd/.htpasswd
# Allow access to excluded directories
SetEnvIf Request_URI /shop/api  noauth=1
<RequireAny>
  Require env noauth
  Require env REDIRECT_noauth
  Require valid-user
</RequireAny>

In addition I had to add Require env REDIRECT_noauth because PHP is using some redirect and this keeps the env variable noauth set

megloff
  • 373
  • 3
  • 10
  • 1
    Magic! After 3 days of trying to config this, `Require env REDIRECT_noauth` did the trick. Thanks! – Volvox May 24 '18 at 09:22
  • 3
    After trying a million solutions on the internet, this one worked. Thank you. – Tom Nov 19 '19 at 13:33