htaccess 从基本身份验证中排除一个 url [英] htaccess exclude one url from Basic Auth

问题描述

我需要从正常的 htaccess 基本身份验证保护中排除一个 Url(甚至更好的一个前缀).类似于 /callbacks/myBank 或 /callbacks/.*你有什么提示吗?

I need to exclude one Url (or even better one prefix) from normal htaccess Basic Auth protection. Something like /callbacks/myBank or /callbacks/.* Do you have any hints how to do it?

我不是在寻找如何排除文件.这必须是 url(因为这是基于 PHP 框架的解决方案，所有 url 都使用 mod_rewrite 重定向到 index.php).所以这个网址下没有文件.没什么.

What I'm not looking for is how to exclude a file. This has to be url (as this is solution based on PHP framework, and all urls are redirected with mod_rewrite to index.php). So there is no file under this URL. Nothing.

其中一些 url 只是来自其他服务的回调(没有 IP 未知，因此我无法根据 IP 排除)并且它们无法提示用户/密码.

Some of those urls are just callbacks from other services (No IP is not known so I cannot exclude based on IP) and they cannot prompt for User / Password.

当前定义很简单:

AuthName "Please login."
AuthGroupFile /dev/null
AuthType Basic
AuthUserFile /xxx/.htpasswd
require valid-user 

推荐答案

如果您使用的是 Apache 2.4，则不再需要 SetEnvIf 和 mod_rewrite 解决方案，因为 Require 指令能够直接解释表达式:

If you are using Apache 2.4, SetEnvIf and mod_rewrite workarounds are no longer necessary since the Require directive is able to interpret expressions directly:

AuthType Basic
AuthName "Please login."
AuthUserFile "/xxx/.htpasswd"

Require expr %{REQUEST_URI} =~ m#^/callbacks/.*#
Require valid-user

Apache 2.4 将 分组的 Require 指令视为;，其行为类似于或"语句.下面是一个更复杂的示例，它演示了如何将请求 URI 和查询字符串匹配在一起，并退回到要求有效用户:

Apache 2.4 treats Require directives that are not grouped by <RequireAll> as if they were in a <RequireAny>, which behaves as an "or" statement. Here's a more complicated example that demonstrates matching both the request URI and the query string together, and falling back on requiring a valid user:

AuthType Basic
AuthName "Please login."
AuthUserFile "/xxx/.htpasswd"

<RequireAny>
    <RequireAll>
        # I'm using the alternate matching form here so I don't have
        # to escape the /'s in the URL.
        Require expr %{REQUEST_URI} =~ m#^/callbacks/.*#

        # You can also match on the query string, which is more
        # convenient than SetEnvIf.
        #Require expr %{QUERY_STRING} = 'secret_var=42'
    </RequireAll>

    Require valid-user
</RequireAny>

此示例将允许访问 /callbacks/foo?secret_var=42，但需要 /callbacks/foo 的用户名和密码.

This example would allow access to /callbacks/foo?secret_var=42 but require a username and password for /callbacks/foo.

请记住，除非您使用 ，否则 Apache 将尝试匹配每个 Require 按顺序，因此请考虑您想要的条件先允许.

Remember that unless you use <RequireAll>, Apache will attempt to match each Require in order so think about which conditions you want to allow first.

Require 指令的参考在这里:https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#require

和 expr 会话参考在这里:https://httpd.apache.org/docs/2.4/expr.html

And the expression reference is here: https://httpd.apache.org/docs/2.4/expr.html

这篇关于htaccess 从基本身份验证中排除一个 url的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！