Turning Off Apache Basic Authentication For A Single Directory

When setting up staging sites or similar I often add a simple Apache authentication check in order to stop everyone from viewing the site. This is also useful in stopping search engine spiders from accessing a site with testing content on it, which generally causes trouble. It isn't amazingly secure, but it keeps almost everyone out.

Setting up a basic Apache password check isn't difficult and all that is needed is a few lines of Apache configuration. This can be placed in a .htaccess file in the web directory or within the server configuration. The following configuration sets up a very simple authentication barrier.

AuthName "Restricted Area"
AuthType Basic
AuthUserFile /var/www/passwords/.htpasswd
AuthGroupFile /dev/null
Require valid-user

The .htpasswd file in the above example is where your user information is stored, so it's generally a good idea to keep it outside your webroot. The .htpasswd file can be edited by hand, but the easiest way of adding passwords is to use the htpasswd command, this will prompt for a password.

htpasswd .htpasswd <username>

With all of that set up you might find the need to allow access to a certain directory. This might be in order to test incomming API connections to the server, which would otherwise be blocked. To allow access to a single directory you need to create an additional .htaccess file and add the Satify Any configuration option. This will tell Apache to allow any user to access the directory, therefore bypassing the password control.

Satisfy Any

You don't need to use a .htaccess file in order to control directory access in this way. The whole thing can be controlled from the main Apache web configuration, or via the virtual host configuration. Within the Apache configuration file the following config might be used to restrict access to a site within the directory /var/www/protected.

<Directory /var/www/protected/>
  AuthName "Restricted Area"
  AuthType Basic
  AuthUserFile /var/www/passwords/.htpasswd
  AuthGroupFile /dev/null
  Require valid-user
</Directory>

A single directory can be unprotected by adding an additional Directory declaration and including the Satisfy Any option like this.

<Directory /var/www/protected/unprotected>
  Satisfy Any
</Directory>

I should mention that this is basic authentication and is therefore not entirely safe, but it does a pretty good job in stopping most users and servers from accessing a website. There are no sophisticated brute force checking mechanisms or password encryption technologies in use. Also, if you aren't using SSL on the server the username and password can be intercepted and extracted.