Protect your website with htaccess

Today we had the need to setup a htauth-secured WordPress blog for internal development purposes. We duly protected our web application with the vanilla .htaccess directives:

{% highlight conf %} AuthName “Secured” AuthUserFile /path/to/secret/location/.htpasswd AuthType Basic Require valid-user {% endhighlight %}

We were using WordPress to generate RSS data feeds, and were pulling down those feeds into PHPList (we combined the two products using my WP-PHPList WordPress plugin). The problem was, PHPList pulls in RSS feeds via the command line, which (at least out-of-the-box) doesn’t support htauth.

What I needed was a way to force all users to authenticate as normal, EXCEPT certain IPs (like localhost) to whom I’d give unrestricted access.

Some Googling resulted this useful article at AskApache.com, which points out that all I needed was to add:

{% highlight conf %} Allow from 127.0.0.1 Satisfy Any {% endhighlight %}

to my directives, giving me the following:

{% highlight conf %} AuthName “Secured” AuthUserFile /path/to/secret/location/.htpasswd AuthType Basic Require valid-user Allow from 127.0.0.1 Satisfy Any {% endhighlight %}

The solution works perfectly - normal users are forced to authenticate, but PHPList can suck up RSS feeds without a problem.