Apache2 Location directive and mod_rewrite

Question

I have a website that is protected with basic authentication, except for one file, one folder, and one rewritten URL location.

It looks like this:


<Directory /var/www/mydomain.com>
  AuthType Basic
  AuthName "Authentication Required"
  AuthUserFile "/etc/htpasswd.mydomain"
  Require valid-user
  Options Indexes  FollowSymLinks
  AllowOverride All
</Directory>

<Location /manifest.webmanifest>
  Satisfy Any
  Allow from all
</Location>

<Location /icons/>
  Satisfy Any
  Allow from all
</Location>

<Location /receive>
  Satisfy Any
  Allow from all
</Location>

manifest.webmanifest and files in the /icons/ folder bypass the auth, but /receive doesn't. The obvious difference is that receive isn't an actual file - it gets rewritten to /index.php for rendering.

How can I make it bypass the auth for /receive?

EDIT: The rewrite happens in a .htaccess file:

RewriteEngine On

RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME}.php !-f
RewriteRule ^(.*)$ index.php?AppRouting=$1 [QSA]

That doesn't help me - if I allow index.php then every page is allowed, since all pages redirect there. I want to only allow the URL location /receive — Ben Holness, Aug 18 '20 at 23:03
(but I tried putting in /index.php and it still didn't let me through anyway!) — Ben Holness, Aug 18 '20 at 23:07
I would start declaring everything correctly, the locations are real path so use directory instead, for the specific file I would use Files or FilesMatch, and I would also remove all deprecated directives (Satisfy, Allow, Deny), by default 2.4 behaves in requireany or `Satisfy Any`, is redundant, and at last I would probably specify Require all granted or even "AuthType none". — Daniel Ferradal, Aug 20 '20 at 09:54
I'm not sure what is being declared incorrectly right now. Are you saying that it's not possible to match on a pre-rewrite URL path? — Ben Holness, Aug 21 '20 at 06:14

Apache2 Location directive and mod_rewrite

0 Answers0