How to make an exception for API requests when password-protecting a site?

H

hancack2021-08-10 20:19:25

Apache HTTP Server

hancack, 2021-08-10 20:19:25

Hello! I am faced with the following situation: I have a site that has been password-protected using htpasswd and htaccess in order to hide the project from prying eyes while it is under development. However, in addition to the main site, there are servers that interact with the API of the main site, and you need to make sure that everything except this very API , which is located on project.com/api, is password protected. At the moment, I have implemented the protection of the entire site, but I need to do something like an exception for requests to pages / api. At the moment I have the site closed using the following code in htaccess:

AuthName "Please enter your credentials. Website is available only to authorized users."
AuthType Basic
AuthUserFile /var/www/html/master/.htpasswd
Require valid-user

I tried to make an api directory in the root of the site and make my own htaccess file there, but in this case, when trying to use the api, just an empty directory opens, which is generally logical.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

D

dodo512, 2021-08-10
@hancack

If Apache >= 2.4.

AuthName "Please enter your credentials. Website is available only to authorized users."
AuthType Basic
AuthUserFile /var/www/html/master/.htpasswd

<RequireAny>
    Require valid-user
    Require expr %{THE_REQUEST}=~m#^\S+\s/api#
</RequireAny>

If Apache < 2.4.

AuthName "Please enter your credentials. Website is available only to authorized users."
AuthType Basic
AuthUserFile /var/www/html/master/.htpasswd
Require valid-user

Satisfy Any
SetEnvIf Request_URI ^/api  api_allow=1
Order Allow,Deny
Allow from env=api_allow
Allow from env=redirect_api_allow