Exclude overwrite protectrion form directory
We have a setting for magenta. For dev purposes, we closed it with .htacces protection. But I want to expose the API, so I don't need to whitelist third party services.
The construct below works for files that exist ( api.php
), but not for URLs that are rewritten ( api
, api/?wsdl
).
This .htaccess
one is one directory above public_html. Based on perishablepress
AuthType Basic
AuthName "Toegang nodig? neem gerust contact op: 038-8200270 !"
AuthUserFile /home/kijken/domains/.htpasswd
AuthGroupFile /dev/null
Require valid-user
# allow public access to the following resources
SetEnvIf Request_URI "^/api.php" allow
SetEnvIf Request_URI "^/api/" allow #api is not a real folder
SetEnvIf Request_URI "^/api/?wsdl" allow
Order allow,deny
Allow from env=allow
Allow from 217.121.158.248 #Company HQ
Satisfy any
Magento with it .htaccess
is in public_html, mirror file
What do I need to change to make it work on non-existing files?
I don't mind a different setting if the following 3 criteria are met:
- IP whitelist (currently working)
- Login for another IP (currently working)
- Exclude specific URL (main problem)
source to share
Looking at your setup and following your explanations, the easiest way to do this is to put your constraint code at the top of Magento htaccess ( /public_html/.htaccess
).
I nested it on top of the rest of the magento. htacces inside public_html. Nothing changes on my question. The problems remain the same.
This is because Magento htaccess erases your restriction. You need to remove these two lines:
One more detail is SetEnvIf Request_URI "^/api/?wsdl" allow
useless because:
- part of the query string (
wsdl
here) is not included inRequest_URI
(not as expected) - the previous rule (
SetEnvIf Request_URI "^/api/" allow
) is larger and includes your useless
Conclusion
This is how your final code should look like
SetEnvIf Request_URI "^/api\.php$" allow
SetEnvIf Request_URI "^/api/" allow
AuthType Basic
AuthName "Toegang nodig? neem gerust contact op: 038-8200270 !"
AuthUserFile /home/kijken/domains/.htpasswd
AuthGroupFile /dev/null
Require valid-user
Order allow,deny
Allow from env=allow
Allow from 217.121.158.248
Satisfy any
# Magento htaccess code here
Tested and working
source to share
To set an environment variable based on a CGI parameter you need to refer to mod_rewrite for example.
RewriteEngine On
# Set environment variable "allow" to Allow requests for /api/?wsdl
RewriteCond %{QUERY_STRING} wsdl
RewriteRule ^/?api - [E=allow:1]
# Set environment variable "allow" to Allow requests for URL that are not Files (-f) and not Directories (-d)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ - [E=allow:1]
If you have access to httpd.conf, stick to the rules in the server configuration, as they only need to be parsed or compiled once, at server startup, not for each request.
source to share