htaccess: Conditional Authentication

Question

How can i configure this in my apache/htaccess configuration:

I want HTTP-Authentication for all files with one exception. The files click.php and js/clickheat.js may be accessed from 1.2.3.4 without any authentication.

I tried FilesMatch, but i can't invert it. So i can't put require valid-user in there. I thought using SetEnv, but how do i check for it later?

<FilesMatch "(click\.php|clickheat\.js)">
    # what here?
</FilesMatch>

My other idea was to use mod_rewrite. Well, i can allow access to the two files from the given host and deny it from anywhere else. But how do i chain it with HTTP-Authentication?

# allows access to two files from the given IP
RewriteCond %{REMOTE_ADDR} 1\.2\.3\.4
RewriteCond %{REQUEST_URI} ^/click.php [OR]
RewriteCond %{REQUEST_URI} ^/js/clickheat\.js
RewriteRule (.*) - [L]

# denies everything else
RewriteRule (.*) - [F,L]

So my favourite solution would be enabling HTTP-Auth via RewriteCond/RewriteRule.

Background (or why i want to do this): I'm trying to secure a clickheat (http://www.labsmedia.com/clickheat/index.html) installation. And 1.2.3.4 is the remote running mod_proxy and redirecting access to these to files to our clickheat host.

Answer 1

Ok, i found a solution:

Order Deny,Allow
Deny from All

Satisfy Any

AuthType Basic
AuthName "clickheat"
AuthUserFile /var/www/clickheat/.htpasswd
Require valid-user

<FilesMatch "(click\.php|clickheat\.js)">
        Deny from All
        Allow from 1.2.3.4
</FilesMatch>

The key is the Satisfy Any which allows either IP- or Auth-based access.