When developing web applications that use APIs, it is usually necessary to have the development site accessible for API callback URLs. A good example would be when working with payment gateway systems, which typically post back success or failure of transactions. In this event it is convenient to use HTTP authorisation to prevent outside access (users, crawlers, etc.). The issue with this is that API systems don’t always work with the http://[user]@[password]:[url] method of manually passing through this authentication method.
If this case, and you are using Apache, you can always bypass HTTP authentication altogether;
Order deny,allow Deny from all AuthUserFile "/path/to/htusers" AuthType Basic AuthName "Dev" require valid-user allow from 192.168.1.0/24 # Allow traffic from example internal network addresses allow from 127 # Allow all traffic on loopback address allow from X.X.X.0/24 # Allow all traffic from External IP address range Satisfy Any
The key here is the “Satisfy Any” directive. This instructs Apache to allow a connection to authenticate if any of the conditions are true. Traffic from the specified IP addresses will now bypass authentication, meaning that any API callbacks can poll the application endpoints you have set up. This method does rely on the callbacks coming from a specific IP address or IP range. It may not be a workable solution if the callbacks can originate from multiple unknown addresses, such as cloud services.
The other thing to note; if placed directly into a VirtualHost directive, this gives full access to the site / virtual domain to these IP addresses. This could potentially be an issue, which can be resolved by placing them within Location or Directory directives. This allows you to restrict access to specific directories or URLs within the application. Which you require depends purely upon how your API callbacks are implemented.