tags:

views:

925

answers:

2
Q: 

Apache/.htaccess - password-protecting a domain but whitelisting certain URIs within it

So here's what I'd like to do:

access to http://example.com/* would require the user to enter a username/password, except when they go to a certain URIs (e.g. http://example.com/contact/ , http://example.com/blog/, etc.) they shouldn't have to authenticate. http://example.com (the root) should be open, too.

I know I've got to set up some special .htaccess directives, but I don't know exactly how to go about doing it. Does anyone know how I could accomplish this?

Any help would be much appreciated. Thanks!

A:  
RewriteRule ^(contact|blog|)(|/.*)$ - [NC,L]
RewriteRule ^example_entry_point_with_authentication.php$ - [L]
RewriteRule .* /example_entry_point_with_authentication.php [L,QSA]

For things starting with contact, blog or nothing (case insensitive), no rewrite

For authentication page, also don't rewrite (otherwise infinite loop -> server error)

For everything else, use the authentication page. Continue w/ business logic from there, depending on auth result.

Piskvor  2008-11-03 17:42:59
+3  A: 

For the subdirectory, simply turn off basic authentication. It seems there is no direct way to do so (e.g. through a "require none" directive), but you can say that you accept host-based access control, and that any host can access. The following works for me:

    <Location /foo>
            AuthType Basic
            AuthName Foo
            AuthUserFile /tmp/passwd
            require valid-user
    </Location>
    <Location /foo/bar>
            Allow from all
            Satisfy any
    </Location>
Martin v. Löwis  2008-11-03 18:27:13
Thanks for the response! This looks like it should work, but I'm still having problems.I'm getting a 500 Server error. I only changed the AuthUserFile path.I even created a simple second site to test this out, using static files, and it was still 500ing.Any idea what may be causing this?
gabriel  2008-11-03 23:56:13
If this is the first time you have enabled basic auth, you probably need to load additional Apache modules. In recent Apache versions, there is a separate module for file-based user and group authentication, which you need to load separately.
Martin v. Löwis  2008-11-04 12:18:19

related questions

How do I add a MIME type to .htaccess?
Difference between the Apache HTTP Server and Apache Tomcat?
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Cleanest & Fastest server setup for Django
Installing Apache Web Server on 64 Bit Mac
Running Apache alongside another web server?
Algorithm behind MD5Crypt
Can you compile Apache HTTP Server and redeploy its binaries to a different location ?
mod_rewrite rule to redirect all requests except for one specific path
How do I create a self signed SSL certificate to use while testing a web app.
Software for Webserver Log Analysis?
What is the difference between an endpoint, a service, and a port when working with webservices?
What are the proper permissions for an upload folder with PHP/Apache?
mod_rewrite to alias one file suffix type to another
How do you redirect HTTPS to HTTP?
Using mod_rewrite to Mimic SSL Virtual Hosts?
User authentication on Resin webserver
How do you set up Python scripts to work in Apache 2.0?
Block user access to internals of a site using HTTP_REFERER
.htaccess directives to *not* redirect certain URLs
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP