Protect your website with htaccess

Today we had the need to setup a htauth-secured WordPress blog for internal development purposes. We duly protected our web application with the vanilla .htaccess directives:

AuthName "Secured"
AuthUserFile /path/to/secret/location/.htpasswd
AuthType Basic
Require valid-user

We were using WordPress to generate RSS data feeds, and were pulling down those feeds into PHPList (we combined the two products using my WP-PHPList WordPress plugin). The problem was, PHPList pulls in RSS feeds via the command line, which (at least out-of-the-box) doesn’t support htauth.

What I needed was a way to force all users to authenticate as normal, EXCEPT certain IPs (like localhost) to whom I’d give unrestricted access.

Some Googling resulted this useful article at AskApache.com, which points out that all I needed was to add:

Allow from 127.0.0.1
Satisfy Any

to my directives, giving me the following:

AuthName "Secured"
AuthUserFile /path/to/secret/location/.htpasswd
AuthType Basic
Require valid-user
Allow from 127.0.0.1
Satisfy Any

The solution works perfectly - normal users are forced to authenticate, but PHPList can suck up RSS feeds without a problem.