Below is my VHost (that is slightly modified to obscure some Web addresses):

  1 NameVirtualHost


  3 <VirtualHost>

  4   ServerName internal-title.local

  5   ServerAlias *.internal-title.local kingdom * kingdom


  7   <Directory "/var/www/html">

  8     AllowOverride All


 10     Order deny,allow

 11     Deny all


 13     AuthName "Restricted Development Server"

 14     AuthUserFile /var/www/html/.htpasswd

 15     AuthType Fundamental

 16     Require valid-user


 18     Allow From 192.168.1.


 20     Satisfy Any

 21   </Directory>


 23   <Location /open-path >

 24     Order Allow,Deny

 25     Allow All

 26     Deny From None

 27   </Location>


 29   LogLevel debug

 30   VirtualDocumentRoot /var/www/html/%1/

 31 </VirtualHost>

Things are working fine - every sub-domain will get its very own folder within /var/www/html. Any demands from 192.168.1.x (with an internal domain map) can observe the website without password prompts. Any demands from exterior IP's (via kingdom) is going to be motivated for any password.

The issue I'm getting gets that last "location" rule to operate.

Nothing I actually do (whether it is .htaccess or vhost level) using or will disable the password protection for that "/open-path" URL.

In fact - each site about this server is running Drupal which utilizes a URL Rewrite within the .htaccess which maps all non-files onto "?q="... So: http://domain/foo/bar maps to: http://domain/index.php?q=foo/bar

I dont believe that should effect this though, should it?

The main reason I show him is the fact that "/open-path/callback" is needed to become open for a third party API to "ping" the website. I have to test this callback is working before pushing to reside, however I'd rather not unveil the whole site from password protection.

I have attempted setting the place to "/index.php?q=open-path", that isn't labored either.

Any suggestion could be GREATLY appreciated!

This really is in the Apache paperwork:

<Directory /path/to/protected/unprotected>
# All access controls and authentication are disabled
# in this directory
Satisfy Any
Allow from all

This works together with Location too.