Drupal + .htpasswd: How to lock down a dev site but allow access to single path
https://stackoverflow.com/questions/4877069
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianВопрос
So I have a development site setup running Drupal. I've locked the site down with basic HTTPAuth + htpasswd to keep out baddies.
The problem is that a single node, a webform, needs to be accessible on this dev site from the live site.
My question is: because of Drupal's convoluted bootstrapping process how would I go about allowing access to only this single file/URL?
My vhost config for htpasswd:
<Directory />
AuthUserFile /var/www/.htpasswd
AuthName "my radbad dev site"
AuthType Basic
Require valid-user
</Directory>
I've tried something like the following without success:
<Location "/node/1334">
Allow from all
Satisfy any
</Location>
Решение
You can't do it like that, because the webform isn't a file, it's dynamically generated from info you gave Drupal (which it put in the DB). All Drupal URIs (apart from your uploaded files) are index.php sending you to the right place. There's no way to tell httpauth that sometimes index.php may be accessed freely and sometimes it requires auth.
There are several options for controlling access via a Drupal module, or (if your live site is Drupal) you could just give it the same webform, but no amount of tweaking around with httpauth will solve your problem.
Другие советы
<Location>-directives are applied after .htaccess is processed. This means, mod_rewrite already did its thing an the URL is now /index.php?q=node/1334. This is bad, because <Location> cannot be used for configurations based on the query string. See <Location> directive and How the sections are merged for details.
You will have to come up with a totally different solution, like making the Drupal database available under some other URL, that is not accessible from outside.
If you want to go the HTTP authentication route, consider the Secure Site module instead of editing .htaccess and creating a .htpasswd file. That's an error-prone process, while Secure Site gives you a form which you can use to type in a path you want excluded from securing. Even better, it uses the Drupal authentication system, so you can deny/allow people to the site based on Drupal roles and permissions.
