How to exclude a given file or directory from httpd password protection in apache

| | 1 min read

Apache allows you to protect contents of specific directories in your website or the whole website from unauthorized access using a mechanism called httpd password protection. During development of new sites the partially built sites are protected from unauthorized access using httpd authentication. This could sometimes interfere with testing of integration with third party services that might expect some of your URLs to be accessible without authentication. Here is how you can exclude a given file or directory from httpd authentication

The standard set of lines in htaccess to enabled httpd authentication is as follows

AuthType Basic
AuthName "Auth Required"
AuthUserFile /path/to/.htpasswd
Require valid-user

Now adding the following below this will allow you to exclude directories and files

# Allow access to excluded diretories
SetEnvIf Request_URI "path/to/excluded/directory/" allow
SetEnvIf Request_URI "path/to/excluded/file"  allow
Order allow,deny
Allow from env=allow
Satisfy any

If you wrap the above in a <Limit GET> section you can limit the authentication to GET requests only. You can also allow access from specific IP addresses by adding the following for each IP you wish to allow

Allow from