8

I have a site in production that I want to modify (translate from French to English). The modified part will be placed in the domain.com/en URL location and I want to protect only this part with a basic HTTP auth during the modifications.

I would like to have the same behavior as if I had a en directory on my web root folder, and a .htaccess file on this directory to implement basic auth. Unfortunately, I can't do this because The site runs on Wordpress and uses Rewrite Rules, so I cannot create a en directory without bypassing Wordpress.

What directives should I put in the .htaccess in the root directory to enable basic auth only for the /en location ? I tried using the <Location /en></Location> block, but it produces a 500 error so I suppose this block is only supported in apache configuration files.

Fabien Quatravaux
  • 273
  • 1
  • 2
  • 7
  • Can't you just include a Directory section for this directory and then set the Auth or use Require directive? –  Aug 19 '13 at 14:52
  • I tried to put a `` section in my .htaccess, but I get a 500 error. I seams that `` sections are only allowed in main apache configuration files, not in .htaccess. – Fabien Quatravaux Aug 19 '13 at 15:18

3 Answers3

9

@Gregg_Leventhal gave me the solution by using environment variables. But the logic I use is the exact inverse of the one used in his answer. For completeness, here is the code to ask authentication only for URL /en : 

#set an environtment variable "auth" if the request starts with "/en"
SetEnvIf Request_URI ^/en auth=1

AuthName "Please login to access english part"
AuthType Basic
AuthUserFile "/path/to/my/.htpasswd"

# first, allow everybody
Order Allow,Deny
Satisfy any
Allow from all
Require valid-user
# then, deny only if required
Deny from env=auth
Fabien Quatravaux
  • 273
  • 1
  • 2
  • 7
4

I see... The code below will disable auth on only the callbacks directory, perhaps you can modify this logic so that it only enables authentication on the desired directory, or disable auth on all dirs whose name doesn't match the one you wish to protect.

# set an environment variable "noauth" if the request starts with "/callbacks/"
SetEnvIf Request_URI ^/callbacks/ noauth=1

# the auth block
AuthName "Please login."
AuthGroupFile /dev/null
AuthType Basic
AuthUserFile /xxx/.htpasswd

#Here is where we allow/deny
Order Deny,Allow
Satisfy any
Deny from all
Require valid-user
Allow from env=noauth
Pierre-Luc Paour
  • 103
  • 4
  • OK, this is to enable Auth for the root. But how to enable auth only for `/en` URL ? – Fabien Quatravaux Aug 19 '13 at 15:18
  • I tried to modify my answer to be more useful but I don't have much luck with the formatting on this site. –  Aug 19 '13 at 17:24
  • I made some formatting edits, but they need to be peer reviewed before they appear. – KM. Aug 19 '13 at 17:27
  • To use an environment variable is the right solution ! The logic is the exact inverse of what you wrote, but I managed to inverse it. Thanks. – Fabien Quatravaux Aug 20 '13 at 15:07
  • This is copied from : https://stackoverflow.com/questions/8978080/htaccess-exclude-one-url-from-basic-auth – Tristan Aug 02 '19 at 13:28
3

The answers above are suitable for Apache versions prior to 2.4. Here's an update for Apache 2.4 and above, when some of the directives were changed. In this configuration file excerpt, HTTP basic authentication applies to the URI '/members' only. 'joe' refers to a user specified in the file '/home/website/.htpasswd'.

<Directory "/home/website/www">
    AuthType Basic
    AuthName "Members' restricted area"
    AuthBasicProvider file
    AuthUserFile "/home/website/.htpasswd"

    <RequireAny>
        Require expr %{REQUEST_URI} !~ m#^\/members#
        Require user joe
    </RequireAny>
</Directory>
tcdaly
  • 95
  • 2
  • 9