glider emblem Apache Authentication: how to add an exception to a subfolder/url


This is for cases in which we have an http_auth’ed area on our site like “http://foo.bar/site/”, and want to use “http://foo.bar/site/public” that does NOT have http_auth, and that can deliver content freely.

Note: This can be put to work on django using <Location> on httpd.conf. (Thanks Jorge for the pointer)

There are a couple of ways:

  • directly on the httpd.conf
  • on an .htaccess

To learn about how to set up authentication, check Authentication, Authorization and Access Control on Apache 2.0 Documentation site.

Assuming we have our “/site” (http://foo.bar/site/) using http_auth with a code similar to:

AuthType Basic
AuthName "SUPER SECRET ZONE"
AuthUserFile /path/to/httppasswdfile
Require valid-user

As you might (or might not know) this can be used in a <location>, <directory> or any other Configuration Sections.

And now, for the good stuff you came to read this post for: Satisfy.

What does it do? By itself, nothing. What it does is specify if ANY or ALL conditions should be met. So if we create a sub-folder “/site/public” (http://foo.bar/site/public) with an “Allow from all” it will still try to do the authentication (ALL conditions).

This example, assuming a .htaccess file on the sub-folder “public”

Order Deny,Allow
Allow from all

Solution: Add Satisfy Any to it.

Fixed:

Satisfy Any
Order Deny,Allow
Allow from all

Of course, “Satisfy” clauses can be added wherever a condition can be added, so we can also specify this for a <Location> for a “child” url for example.

Comments:

Published:
2011-09-01 00:00:00

Category:
blog

Comments

Tags:
apache 1
apache configuration 1
howto 4
htaccess 1
http_auth 1