Apache2: Exclude all the rest api Request_URIs from Basic Auth by matching with some expressions

I have setup Basic Auth for an Opencart project for browser authentication to allow access to relevant users only. Now, I need to use REST API for a mobile app. When I call an endpoint from the API to get some details from Opnecart Project it requires an access_token to be generated from API and by using that access_token with every request, I can get details from the API. The problem is Basic Auth that I have setup for project and because of that I cannot access API as I can only use 1 method to access the API that is GET method to get the details from opencart, I cannot use 2 methods i.e. Auth Header and GET methods. So, what I am trying to do is to disable Basic Auth if the Request_URI includes api calls.

What I have tried so far with the vhost of the project is following, but all this did not work.

Got the idea from the following question's accepted answer but it didn't workout for me.

<Directory /var/www/html/projectexample> AllowOverride All # Auth stuff AuthName "Authentication Required" AuthType Basic AuthUserFile /etc/apache2/.htpasswd Order allow,deny Deny from all Satisfy any <RequireAny> <RequireAll> Require expr %{REQUEST_URI} =~ m#^/api/rest/.*# </RequireAll> Require valid-user </RequireAny>
</Directory>

I have also tried to use SetEnvIf environment variable like following but it didn't workout either.

<Directory /var/www/html/projectexample> AllowOverride All # Auth stuff AuthName "Authentication Required" AuthType Basic AuthUserFile /etc/apache2/.htpasswd SetEnvIf Request_URI "^/api/*" allow=1 #SetEnvIf Request_URI "^/(api/*)" allow=1 Order allow,deny Require valid-user Allow from env=allow Deny from env!=allow Satisfy any
</Directory>

Any Solutions Please?

2 Answers

The Solution which worked out for me because I have SEO URLs enabled in my project:

<Directory /var/www/html/projectexample> AllowOverride All
</Directory>
<Location "/"> # Default to Basic Auth protection for any stie AuthType Basic AuthName "Authentication required" AuthUserFile /etc/apache2/.htpasswd Require valid-user # If the request goes to a rest page: bypass basic auth SetEnvIf Request_URI ^/api/ noauth=1 # gets REDIRECT_ prepended if the request is a redirect Allow from env=REDIRECT_noauth Allow from env=noauth Order allow,deny Satisfy any Deny from env!=noauth
</Location>

Allow from env=REDIRECT_noauth is doing the trick here for SEO URLs.

2

Assuming /var/www/html/projectexample is your document root and /var/www/html/projectexample/api is the API directory you want to allow unrestricted access, then you can just create two <Directory> containers. For example:

<Directory /var/www/html/projectexample> AuthName "Authentication Required" AuthType Basic AuthUserFile /etc/apache2/.htpasswd Require valid-user
</Directory>
<Directory /var/www/html/projectexample/api> Require all granted
</Directory>

The more specific /api <Directory> container overrides the former.

Assuming you are on Apache 2.4+, you should never mix old Apache 2.2 auth directives (Order allow,deny etc.) and the new <RequireAny> etc. directives. The old directives are only available for backwards compatibility only. Mixing the two types of directives can result in unexpected conflicts.

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like