Home > Missing Answers > Disable user authentication for subdirectory when using RewriteRule on Apache server

Disable user authentication for subdirectory when using RewriteRule on Apache server

If you protect your private beta release from public with AuthType and you are using RewriteRule from mod_rewrite, you will soon find, that combination of <Location> and  Satisfy does not work for you – it does not allow access to the subdirectory as expected.

<VirtualHost *:80>
 ServerName beta.example.com
 DocumentRoot /var/www/example

 <Location />
 AuthType basic
 AuthName "Top Secret Beta!"
 AuthUserFile /etc/httpd/htpasswd.beta
 Require valid-user
 </Location>

 <Location /upload-callback>
 Allow from all
 Satisfy Any
 </Location>

 <Directory /var/www/example>
 RewriteEngine On
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule !\.(swf|pdf|php|js|ico|txt|gif|jpg|png|css|rar|zip|tar\.gz)$ /index.php [L]
 </Directory>
</VirtualHost>

With this setup, the subdirectory will require valid user – because mod_rewrite is applied before <Location> and changes the URL, which no longer matches. You can change this by adding an alias:

Alias /upload-callback /var/www/example/index.php

Now all URLs will go through your nice url generator index.php, but the specified URL will be checked against <Location> and give access based on the Allow directive (in this case to everyone).

Categories: Missing Answers Tags: