htaccess 从基本身份验证中排除一个 url [英] htaccess exclude one url from Basic Auth
问题描述
我需要从正常的 htaccess 基本身份验证保护中排除一个 Url(甚至更好的一个前缀).类似于 /callbacks/myBank
或 /callbacks/.*
你有什么提示吗?
I need to exclude one Url (or even better one prefix) from normal htaccess Basic Auth protection. Something like /callbacks/myBank
or /callbacks/.*
Do you have any hints how to do it?
我不是在寻找如何排除文件.这必须是 url(因为这是基于 PHP 框架的解决方案,所有 url 都使用 mod_rewrite
重定向到 index.php
).所以这个网址下没有文件.没什么.
What I'm not looking for is how to exclude a file.
This has to be url (as this is solution based on PHP framework, and all urls are redirected with mod_rewrite
to index.php
). So there is no file under this URL. Nothing.
其中一些 url 只是来自其他服务的回调(没有 IP 未知,因此我无法根据 IP 排除)并且它们无法提示用户/密码.
Some of those urls are just callbacks from other services (No IP is not known so I cannot exclude based on IP) and they cannot prompt for User / Password.
当前定义很简单:
AuthName "Please login."
AuthGroupFile /dev/null
AuthType Basic
AuthUserFile /xxx/.htpasswd
require valid-user
推荐答案
如果您使用的是 Apache 2.4,则不再需要 SetEnvIf
和 mod_rewrite 解决方案,因为 Require
指令能够直接解释表达式:
If you are using Apache 2.4, SetEnvIf
and mod_rewrite workarounds are no longer necessary since the Require
directive is able to interpret expressions directly:
AuthType Basic
AuthName "Please login."
AuthUserFile "/xxx/.htpasswd"
Require expr %{REQUEST_URI} =~ m#^/callbacks/.*#
Require valid-user
Apache 2.4 将
分组的 Require
指令视为
,其行为类似于或"语句.下面是一个更复杂的示例,它演示了如何将请求 URI 和查询字符串匹配在一起,并退回到要求有效用户:
Apache 2.4 treats Require
directives that are not grouped by <RequireAll>
as if they were in a <RequireAny>
, which behaves as an "or" statement. Here's a more complicated example that demonstrates matching both the request URI and the query string together, and falling back on requiring a valid user:
AuthType Basic
AuthName "Please login."
AuthUserFile "/xxx/.htpasswd"
<RequireAny>
<RequireAll>
# I'm using the alternate matching form here so I don't have
# to escape the /'s in the URL.
Require expr %{REQUEST_URI} =~ m#^/callbacks/.*#
# You can also match on the query string, which is more
# convenient than SetEnvIf.
#Require expr %{QUERY_STRING} = 'secret_var=42'
</RequireAll>
Require valid-user
</RequireAny>
此示例将允许访问 /callbacks/foo?secret_var=42
,但需要 /callbacks/foo
的用户名和密码.
This example would allow access to /callbacks/foo?secret_var=42
but require a username and password for /callbacks/foo
.
请记住,除非您使用
,否则 Apache 将尝试匹配每个 Require
按顺序,因此请考虑您想要的条件先允许.
Remember that unless you use <RequireAll>
, Apache will attempt to match each Require
in order so think about which conditions you want to allow first.
Require
指令的参考在这里:https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#require
和 expr
会话参考在这里:https://httpd.apache.org/docs/2.4/expr.html
And the expr
ession reference is here: https://httpd.apache.org/docs/2.4/expr.html
这篇关于htaccess 从基本身份验证中排除一个 url的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!