Below is my VHost (that is slightly modified to obscure some Web addresses):


  1 NameVirtualHost 192.168.1.49:80

  2

  3 <VirtualHost 192.168.1.49:80>

  4   ServerName internal-title.local

  5   ServerAlias *.internal-title.local exterior-domain.co.united kingdom *.exterior-domain.co.united kingdom

  6

  7   <Directory "/var/www/html">

  8     AllowOverride All

  9

 10     Order deny,allow

 11     Deny all

 12

 13     AuthName "Restricted Development Server"

 14     AuthUserFile /var/www/html/.htpasswd

 15     AuthType Fundamental

 16     Require valid-user

 17

 18     Allow From 192.168.1.

 19

 20     Satisfy Any

 21   </Directory>

 22

 23   <Location /open-path >

 24     Order Allow,Deny

 25     Allow All

 26     Deny From None

 27   </Location>

 28

 29   LogLevel debug

 30   VirtualDocumentRoot /var/www/html/%1/

 31 </VirtualHost>

Things are working fine - every sub-domain will get its very own folder within /var/www/html. Any demands from 192.168.1.x (with an internal domain map) can observe the website without password prompts. Any demands from exterior IP's (via exterior-domain.co.united kingdom) is going to be motivated for any password.

The issue I'm getting gets that last "location" rule to operate.

Nothing I actually do (whether it is .htaccess or vhost level) using or will disable the password protection for that "/open-path" URL.

In fact - each site about this server is running Drupal which utilizes a URL Rewrite within the .htaccess which maps all non-files onto "?q="... So: http://domain/foo/bar maps to: http://domain/index.php?q=foo/bar

I dont believe that should effect this though, should it?

The main reason I show him is the fact that "/open-path/callback" is needed to become open for a third party API to "ping" the website. I have to test this callback is working before pushing to reside, however I'd rather not unveil the whole site from password protection.

I have attempted setting the place to "/index.php?q=open-path", that isn't labored either.

Any suggestion could be GREATLY appreciated!

This really is in the Apache paperwork: http://httpd.apache.org/docs/2.2/mod/core.html#require

<Directory /path/to/protected/unprotected>
# All access controls and authentication are disabled
# in this directory
Satisfy Any
Allow from all
</Directory>

This works together with Location too.