从 HTTP 基本身份验证中排除特定 URL - mod_rewrite 导致问题

我们在我们的某个子域上有“HTTP 基本身份验证”，但希望允许所有内容访问该子域上的特定 URL，而无需进行身份验证（对于第 3 方访问我们的 webhook URL）。

所以我尝试使用

SetEnvIf Request_URI ^/webhook/ allow

来允许

Allow from env=allow

（下面的完整文件），但似乎因为我们有一些 mod_rewrite 规则来将所有这些 URL 重写为 PHP 入口点，所以 Request_URI 实际上永远不会是 /webhook一旦到了这一点（猜测但不知道如何100％确认这一点。

无论 URL 如何，它仍然要求基本的身份验证用户/密码。

请注意，.htaccess 文件在我们所有的域/子域上都是相同的，而 VirtualHost 可以仅为该子域配置。

带有“HTTP Basic Auth”配置部分的完整虚拟主机配置：

<VirtualHost *:80>
  RewriteEngine on
  RewriteCond %{HTTP:X-Forwarded-Proto} !https
  RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=permanent,L]

  DocumentRoot /var/www/sub.ourdomain.co.uk/blah/www

  ServerAdmin [email protected]
  ServerName sub.ourdomain.co.uk
  ServerAlias www.sub.ourdomain.co.uk

  ErrorDocument 400 /error.php
  ErrorDocument 401 /error.php
  ErrorDocument 403 /403.html
  ErrorDocument 404 /error.php
  ErrorDocument 405 /error.php
  ErrorDocument 408 /error.php
  ErrorDocument 410 /error.php
  ErrorDocument 411 /error.php
  ErrorDocument 412 /error.php
  ErrorDocument 413 /error.php
  ErrorDocument 414 /error.php
  ErrorDocument 415 /error.php
  ErrorDocument 500 /error.php
  ErrorDocument 501 /error.php
  ErrorDocument 502 /error.php
  ErrorDocument 503 /error.php
  ErrorDocument 506 /error.php

  ErrorLog /var/log/httpd/sub.ourdomain.co.uk.apache.log
  CustomLog /var/log/httpd/sub.ourdomain.co.uk.access.log combined

  <Directory "/var/www/sub.ourdomain.co.uk/blah/www">
    SetEnvIf Request_URI ^/webhook/ allow

    AuthType Basic
    AuthName "Restricted Content"
    AuthUserFile /etc/httpd/passwords/sub.ourdomain.co.uk

    # Setup a deny/allow
    Order Deny,Allow
    # Deny from everyone
    Deny from all
    # except if either of these are satisfied
    Satisfy any
    # 1. a valid authenticated user
    Require valid-user
    # or 2. the "allow" var is set
    Allow from env=allow
  </Directory>
</VirtualHost>

.htaccess mod_rewrite规则：

RewriteCond %{REQUEST_METHOD} !(^GET|^POST|^HEAD)
RewriteRule .* - [R=405,L]

RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !(/img|/js|/css|/fonts)

RewriteRule ^(.*)$ /boot.php

RewriteCond %{REQUEST_URI} ^/$
RewriteRule ^(.*)$ /boot.php

编辑1 - 基于我也尝试过的评论：

SetEnv allow true

和

SetEnv allow 1

以消除对是否是URL的怀疑，并且它仍然要求基本身份验证密码，因此它可能与URL毕竟无关.

编辑 2 - 添加整个 .htaccess 以确保我没有遗漏其他内容：

php_value max_input_vars 4000

RewriteEngine on

# Disallow other HTTP verbs such as PUT and DELETE
RewriteCond %{REQUEST_METHOD} !(^GET|^POST|^HEAD)
RewriteRule .* - [R=405,L]

RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !(/img|/js|/css|/fonts|/twig|/pdf|/vendors|/server-status)

RewriteRule ^(.*)$ /boot.php

RewriteCond %{REQUEST_URI} ^/$
RewriteRule ^(.*)$ /boot.php

AddType font/ttf .ttf
AddType font/eot .eot
AddType font/otf .otf
AddType font/woff .woff

<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/css text/javascript application/x-javascript application/javascript text/x-component text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon application/json font/woff font/otf font/eot font/ttf
</IfModule>

<ifModule mod_expires.c>
  ExpiresActive On
  ExpiresDefault "access plus 1 seconds"
  ExpiresByType text/html "access plus 1 seconds"
  ExpiresByType image/gif "access plus 2592000 seconds"
  ExpiresByType image/jpeg "access plus 2592000 seconds"
  ExpiresByType image/png "access plus 2592000 seconds"
  ExpiresByType text/css "access plus 604800 seconds"
  ExpiresByType font/ttf "access plus 604800 seconds"
  ExpiresByType font/eot "access plus 604800 seconds"
  ExpiresByType font/otf "access plus 604800 seconds"
  ExpiresByType font/woff "access plus 604800 seconds"
  ExpiresByType text/javascript "access plus 604800 seconds"
  ExpiresByType application/x-javascript "access plus 604800 seconds"
</ifModule>

<ifModule mod_headers.c>
  <filesMatch "\\.(ico|pdf|flv|jpg|jpeg|png|gif|swf)$">
    Header set Cache-Control "max-age=2592000, public, proxy-revalidate"
  </filesMatch>
  <filesMatch "\\.(js|css|ttf|eot|otf|woff)$">
    Header set Cache-Control "max-age=604800, public, proxy-revalidate"
  </filesMatch>
  <filesMatch "\\.(xml|txt)$">
    Header set Cache-Control "max-age=216000, public, must-revalidate"
  </filesMatch>
</ifModule>

编辑 3 - 抱歉，应该提到我们现在停留在 Apache 2.2 上。

<If>

allow from all

THE_REQUEST

THE_REQUEST

AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/httpd/passwords/sub.ourdomain.co.uk
Require valid-user
Satisfy any
Order   deny,allow
Deny from  all

<If "%{THE_REQUEST} =~ /webhook/">
Satisfy any
Allow from all
</If>

# your current mod_rewrite rules can appear below this line:
DirectoryIndex boot.php
RewriteEngine on

# Disallow other HTTP verbs such as PUT and DELETE
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)
RewriteRule ^ - [R=405,L]

RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !(/img|/js|/css|/fonts|/twig|/pdf|/vendors|/server-status)
RewriteRule ^ boot.php [L]

<FilesMatch>

DirectoryIndex boot.php
RewriteEngine on

# Disallow other HTTP verbs such as PUT and DELETE
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)
RewriteRule ^ - [R=405,L]

RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !(/img|/js|/css|/fonts|/twig|/pdf|/vendors|/server-status)
RewriteRule ^ boot.php [L]

SetEnvIfNoCase Request_URI ^/webhook/ allow

<FilesMatch "^(?!boot\.php$).*$">
   AuthType Basic
   AuthName "Restricted Content"
   AuthUserFile /etc/httpd/passwords/sub.ourdomain.co.uk
   Require valid-user
   Order   Deny,Allow
   Deny from  all
   Allow from env=allow
   Satisfy any
</FilesMatch>

<If "%{THE_REQUEST} =~ /webhook/">

?uselessParameter=/webhook/

THE_REQUEST

^

<If "%{THE_REQUEST} =~ ^GET /webhook/">