2
votes

Below is my VHost (which is slightly modified to obscure some URLS):

  1 NameVirtualHost 192.168.1.49:80
  2
  3 <VirtualHost 192.168.1.49:80>
  4   ServerName internal-name.local
  5   ServerAlias *.internal-name.local external-domain.co.uk *.external-domain.co.uk
  6
  7   <Directory "/var/www/html">
  8     AllowOverride All
  9
 10     Order deny,allow
 11     Deny from all
 12
 13     AuthName "Restricted Development Server"
 14     AuthUserFile /var/www/html/.htpasswd
 15     AuthType Basic
 16     Require valid-user
 17
 18     Allow From 192.168.1.
 19
 20     Satisfy Any
 21   </Directory>
 22
 23   <Location /open-path >
 24     Order Allow,Deny
 25     Allow From All
 26     Deny From None
 27   </Location>
 28
 29   LogLevel debug
 30   VirtualDocumentRoot /var/www/html/%1/
 31 </VirtualHost>

Everything is working fine - every sub-domain gets its own folder within /var/www/html. Any requests from 192.168.1.x (via an internal domain map) can view the site without password prompts. Any requests from external IP's (via external-domain.co.uk) will be prompted for a password.

The problem I am having is getting that last "location" rule to work.

Nothing I do (be it .htaccess or vhost level) using or will disable the password protection for the "/open-path" URL.

In actual fact - each site on this server is running Drupal which uses a URL Rewrite in the .htaccess which maps all non-files onto "?q="... So: http://domain/foo/bar maps to: http://domain/index.php?q=foo/bar

I dont think that should effect this though, should it?

The reason I point it out is that "/open-path/callback" is required to be open for a 3rd party API to "ping" the site. I need to test this callback is working before pushing to live, however I don't want to unveil the entire site from password protection.

I've tried setting the Location to "/index.php?q=open-path", that's not worked either.

Any suggestion would be GREATLY appreciated!

1

1 Answers

3
votes

This is from the Apache docs: http://httpd.apache.org/docs/2.2/mod/core.html#require

<Directory /path/to/protected/unprotected>
# All access controls and authentication are disabled
# in this directory
Satisfy Any
Allow from all
</Directory>

This works with Location as well.