I am trying to exclude a path (URI) from blocking using basic http auth. The is / rest path ( http://example.com/rest ) is the cakephp 3 application controller. This is not a real file, but a path rewritten by the rewrite condition and processed by index.php in the webroot directory.
Here are the rewrite rules:
/var/www/.htaccess :
<IfModule mod_rewrite.c> RewriteEngine on RewriteRule ^$ webroot/ [L] RewriteRule (.*) webroot/$1 [L] </IfModule>
/var/www/webroot/.htaccess :
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^ index.php [L] </IfModule>
I run apache 2.4 and try different settings:
<VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/webroot <Directory /var/www> Options FollowSymLinks AllowOverride All </Directory> <Location "/"> AuthType Basic AuthName "Keawe Development" AuthUserFile /host/.htpasswd Require valid-user Require expr %{REQUEST_URI} =~ m#/rest/.*# Require expr %{REQUEST_URI} =~ m#/index.php/rest/.*# </Location> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
... adapted from https://stackoverflow.com/a/2129608/
<VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/webroot <Directory /var/www> Options FollowSymLinks AllowOverride All </Directory> <Location "/"> AuthType Basic AuthName "Keawe Development" AuthUserFile /host/.htpasswd Require valid-user </Location> <Location "/rest"> Allow from all Satisfy any </Location> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
... from https://serverfault.com/a/475845/229877
<VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/webroot <Directory /var/www> Options FollowSymLinks AllowOverride All </Directory> <Location "/"> AuthType Basic AuthName "Keawe Development" AuthUserFile /host/.htpasswd Require valid-user </Location> <Location "/rest"> Require all granted </Location> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </Virtualhost>
... from https://www.apachelounge.com/viewtopic.php?p=30200
... <Location "/"> SetEnvIf Request_URI ^/rest noauth=1 SetEnvIf Request_URI /rest noauth=1 SetEnvIf Request_URI ^/index.php/rest noauth=1 SetEnvIf Request_URI /index.php/rest noauth=1 AuthType Basic AuthName "Keawe Development" AuthUserFile /host/.htpasswd Order Deny,Allow Satisfy any Deny from all Require valid-user Allow from env=noauth </Location>
... from https://stackoverflow.com>
<Location "/"> AuthType Basic AuthName "Keawe Development" AuthUserFile /host/.htpasswd Require valid-user </Location> <Location ~ "/(rest|index.php/rest)"> Satisfy Any Allow from all AuthType None Require all granted </Location>
... from https://stackoverflow.com>
<Location "/"> AuthType Basic AuthName "Keawe Development" AuthUserFile /host/.htpasswd Require valid-user </Location> <Files "index.php/rest"> Satisfy Any Allow from all </Files> <Files "rest"> Satisfy Any Allow from all </Files>
... from HTTP Basic Auth Exclude Single File
However, none of them seem to work. I always get error 401 using wget or auth request from browser.
The problem is that the path / rest passes the condition, but then it is rewritten in index.php, which is under the control of the main auth (and should be).
Any clues?