optional http auth

Today I encountered an interesting problem. (And please excuse any incoherent rambling right now, I’m writing this from a pretty loud office building where everyone’s getting ready to take off for lunch…)

A site I’m working on is currently restricted from public access (largely because we don’t want the client poking around while it’s in a particularly ugly stage of development :P). We’re restricting this access via the standard issue apache http basic auth system with an .htaccess file that looks something like this:

[code]
AuthType basic
AuthUserFile /not/in/var/www/mars_passwd
AuthGroupFile /dev/null
AuthName "MARS Password Required"
Require valid-user
[/code]

This is all well and good. I have a secure password that the three people working on the site can use to access the pages in question and everything is good.

Until they tell me that they want me to make searches work – searches involving both static and dynamic content. Ie, searches that can only be indexed via some sort of spider application. But, the spider must run over http… and it’s too dumb to both authenticate connections AND leave the passwords out of the url’s it saves in its index…

Now, if I were only developing this site internally, I might want to change my .htaccess file to read something more like this:

[code]
Order allow,deny
Allow from localhost
Allow from xx.yy.zz.com
Deny from all
[/code]

This would let the server do it’s thing w/o worries about the

Enter the Satisfy directive.

See, Apache is smart enough to accept any possible combination of these two methods of authentication. It is possible to require both a valid password and a valid ip OR to require only one of the two.

Satisfy takes one of two arguments, ‘all’ or ‘any’. But saying ‘Satisfy all’ is kind of redundant, as that’s the default behavior.

The final auth file looks something like this:

[code]
AuthType basic
AuthUserFile /not/in/var/www/mars_passwd
AuthGroupFile /dev/null
AuthName "MARS Password Required"
Require valid-user

Order allow,deny
Allow from localhost
Allow from xx.yy.zz.com

Satisfy any
[/code]

So, now we get the desired behavior. If connecting from one of the authorized hosts, it lets you in w/o asking for a password. Otherwise, the password is required to continue.

One thought on “optional http auth”

  1. Thank you,

    Trying to access the _private directory was giving me an error message on apache’s error_log:

    “””
    configuration error: couldn’t check access. No Groups file?
    “””
    the addition of the line “AuthGroupFile /dev/null” worked like a charm. Fugly hack, but works.

Leave a Reply

Your email address will not be published. Required fields are marked *