views:

95

answers:

0

The issue

I have a site that's a few weeks away from launch, so I've put a htaccess Require directive on it, to keep nosy people out until launch.
But now I need to open up (i.e. not require a password) for 2 specific URLs, because a payment-processing service needs access to them. And for some reason I just can't get it to work!

The setup

The site makes use mod_rewrite to send non-file requests to be parsed by the web-framework I'm using - it's basically the same as Rails except done with PHP. So right now, I have the current rules

# Require password for dynamically-served stuff (i.e. requests processed by dispatch.php)
<Files "dispatch.php">
  AuthUserFile ...
  AuthType Basic
  AuthName "Site under construction"
  Require valid-user
</Files>

# Serve real files normally, everything else goes to dispatch.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ dispatch.php [QSA,L]

That works quite well; only the dynamically-served pages are password protected, while real files like stylesheets and images are accessible (this is done to allow email clients to get images and such for HTML emails without running into the password protection).
Note: There is actually another htaccess file in the webserver's root directory, which rewrites EVERYTHING to a directory called "public" where the rules above are defined. This is because I have to have everything in the root dir, but in fact only things in "public" are supposed to be accessible (the other dirs belong to the framework - again: think Rails). So a request hits the root-level htaccess, gets rewritten to the public dir, and then the config above is evaluated. This could the cause of some of the problems, but I honestly don't know.

What I'd like it to do

1) Retain the current functionality (i.e. static files are accessible, dynamic ones are not)
2) Add and exception for 2 very specific (dynamic-served) URLs OR skip password protection if the request comes from the payment processing server

So I basically need someway to either limit the scope of the password-protection to exclude 2 URLs

What I've tried

The first thing I tried was the Location and LocationMatch directives, but no matter how I try I always get an Apache misconfiguration error. Doesn't matter how I use the directives; if they're in the htaccess file, the server gives me a misconfiguration error. Even just something harmless like:

<Location />
</Location>

Made the server face-plant.

I also tried giving the payment-processing service that URLs that contained the username and password (i.e. http://user:[email protected]/payment) but that didn't work either.

So I don't really know what to do. I have a feeling the answer is really really simple, but I can't figure it out.

Hope someone out there can help
Thanks in advance