Monday, August 02, 2010

Gotcha of the Day: Punching a Hole Through Apache Authentication

When I setup a dev site, I like to throw up .htaccess authentication on it. That way, search engine bots won't crawl and index it, and end users won't discover it and get confused.

But, last night, I ran into a classic problem with this configuration which is that there are times when anonymous access to the site is needed. Last night, this anonymous access was needed by the PayPal IPN architecture. But, this same sort of issue comes up with any sort of asynchronous notification is involved (like with webthumb's notify requests).

It's tempting to simply drop the authentication requirement from the dev site, but that's problematic because the reasons it exists are essential ones.

After mulling this over, I decided I'd try a different strategy. I'd go ahead and leave the site as password protected, but put the scripts that need anonymous access in their own unprotected directory.

That is, assuming the webroot is public_html, I'd put my IPN notification script in the following directory:


I knew I needed to put some sort of special configuration in async/ipn-handler.php, but what. I read through the Apache docs and arrived at the following:

Allow from all
Satisfy Any 

The first line says that any host can access this directory. That is, there are now host or IP address limits on this directory. But, that line alone doesn't really help matters - because the .htaccess authentication at the root level requires a valid user.

The second line, the satisfy directive, says that either user authentication or host authentication are acceptable. Because all hosts are welcome, anyone can get in.

The result is a private site, but with a single publicly accessible directory. The scripts within this directory are written with this in mind, can gracefully be invoked by a search engine bot or curious user without harm (though, how'd they guess the name of the script or directory is beyond me.).

No comments:

Post a Comment