A development server I was working on required HTTP authentication due to being public-facing. However a certain application inside can’t work with HTTP authentication so certain paths need to be excluded. Usually this can be done by placing HTTP authentication in the main Apache configuration file (httpd.conf) and put .htaccess file in the directory I want to exclude. .htaccess file has the following content:
Order Deny,Allow
Allow from all
Satisfy any
Please note that this method can be used for physical path only. To exclude virtual path, just add the following lines in Apache main configuration file (httpd.conf) instead:
# Require auth for all except API directory. Change API with your own.
<LocationMatch "(?i)^(?!/API/)[^\.]+$">
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /path/to/.htpasswd
AuthGroupFile /dev/null
require valid-user
</LocationMatch>
References:
How to Remove Basic Auth from a Protected Subdirectory (Apache)
Excluding HTTP Authentication Based On URL