Clever Geek Handbook

Exclude overwrite protectrion form directory

We have a setting for magenta. For dev purposes, we closed it with .htacces protection. But I want to expose the API, so I don't need to whitelist third party services.

The construct below works for files that exist ( api.php

), but not for URLs that are rewritten ( api

, api/?wsdl

).

This .htaccess

one is one directory above public_html. Based on perishablepress

AuthType Basic
AuthName "Toegang nodig? neem gerust contact op: 038-8200270 !"
AuthUserFile /home/kijken/domains/.htpasswd
AuthGroupFile /dev/null
Require valid-user
# allow public access to the following resources
SetEnvIf Request_URI "^/api.php" allow
SetEnvIf Request_URI "^/api/" allow  #api is not a real folder
SetEnvIf Request_URI "^/api/?wsdl" allow

Order allow,deny
Allow from env=allow

Allow from 217.121.158.248 #Company HQ

Satisfy any

Magento with it .htaccess

is in public_html, mirror file

What do I need to change to make it work on non-existing files?
I don't mind a different setting if the following 3 criteria are met:

  • IP whitelist (currently working)
  • Login for another IP (currently working)
  • Exclude specific URL (main problem)
+3


source to share


2 answers


Looking at your setup and following your explanations, the easiest way to do this is to put your constraint code at the top of Magento htaccess ( /public_html/.htaccess

).

I nested it on top of the rest of the magento. htacces inside public_html. Nothing changes on my question. The problems remain the same.

This is because Magento htaccess erases your restriction. You need to remove these two lines:

enter image description here

One more detail is
SetEnvIf Request_URI "^/api/?wsdl" allow

useless because:



  • part of the query string ( wsdl

    here) is not included in Request_URI

    (not as expected)
  • the previous rule ( SetEnvIf Request_URI "^/api/" allow

    ) is larger and includes your useless

Conclusion
This is how your final code should look like

SetEnvIf Request_URI "^/api\.php$" allow
SetEnvIf Request_URI "^/api/" allow

AuthType Basic
AuthName "Toegang nodig? neem gerust contact op: 038-8200270 !"
AuthUserFile /home/kijken/domains/.htpasswd
AuthGroupFile /dev/null
Require valid-user
Order allow,deny
Allow from env=allow
Allow from 217.121.158.248
Satisfy any

# Magento htaccess code here

Tested and working

+1


source


To set an environment variable based on a CGI parameter you need to refer to mod_rewrite for example.

RewriteEngine On
# Set environment variable "allow" to Allow requests for /api/?wsdl
RewriteCond   %{QUERY_STRING} wsdl
RewriteRule   ^/?api  - [E=allow:1]

# Set environment variable "allow" to Allow requests for URL that are not Files (-f) and not Directories (-d)
RewriteCond %{REQUEST_FILENAME} !-f   
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ - [E=allow:1]


If you have access to httpd.conf, stick to the rules in the server configuration, as they only need to be parsed or compiled once, at server startup, not for each request.

0


source






More articles:


All Articles