Exclusion of a protected sub-url does not work on Apache 2.4?
I try to exclude a sub-url "/shop/api" from my protected website. It worked fine on different server on Apache/2.2.15 but now not with Apache/2.4.7? It always asks for the basic authentication. Any Idea what I did wrong?
AuthType Basic
AuthName 'Authentication required'
AuthUserFile /var/www/vhosts/pwd/.htpasswd
# Allow access to excluded diretories
SetEnvIf Request_URI ^/shop/api/ noauth=1
Order deny,allow
Satisfy any
Deny from all
Require valid-user
Allow from env=noauth
Solution 1:
as "lain" pointed out the apache 2.4 Auth/Access control stuff has changed since 2.2. So I needed to modify it as follows:
AuthType Basic
AuthName 'Authentication required'
AuthUserFile /var/www/vhosts/pwd/.htpasswd
# Allow access to excluded directories
SetEnvIf Request_URI /shop/api noauth=1
<RequireAny>
Require env noauth
Require env REDIRECT_noauth
Require valid-user
</RequireAny>
In addition I had to add Require env REDIRECT_noauth
because PHP is using some redirect and this keeps the env variable noauth
set