Password protection with Apache but allow from a user agent

This post shows how to password protect a website with an Apache .htaccess file, but still allow access for a particular user-agent.

Why?

Allowing a process or browser access by their user-agent isn’t really the most ideal solution: it’s far better to allow access by IP address, but sometimes it’s necessary if the IP address of the remote process/browser may change but the user-agent will remain the same.

Ideally this method shouldn’t be used for something requiring high levels of security, but it can be useful if you need to, like I do, allow access to a payment provider’s callback to let your website know the payment has succesfully been processed.

How?

Add this to your .htaccess file, see below for what you need to substitute:

SetEnvIfNoCase User-Agent [UserAgentName] AllowedUserAgent
AuthUserFile /path/to/.htpasswd
AuthName "Restricted Access"
AuthType Basic
Order deny,allow
Deny from all
Require user [username]
Allow from env=AllowedUserAgent
Satisfy Any

Change [UserAgentName] to the name of the user agent. You can use pattern matching, so .*google.* would match a user agent with "google" anywhere in it.

Change /path/to/.htpasswd to the actual location of your password file.

Change [username] to the username(s) you want to allow access.

Real world example

I needed to test PxPay by Direct Payment Solutions (DPS), which uses what they call "fail-proof result notification (FPRN)". They specifically note that there should not be any conditional logic based on the originating IP address when the payment notification is made.

I can’t really make any assumptions about the user-agent, but it always came through as PXL1 when I tested it, so this is what my .htaccess file looked like:

SetEnvIfNoCase User-Agent PXL1 DPS
AuthUserFile /path/to/.htpasswd
AuthName "Restricted Access"
AuthType Basic
Order deny,allow
Deny from all
Require user [username]
Allow from env=DPS
Satisfy Any

I have a number of other recipes and tips for password, IP address, etc protection with .htaccess in my Apache .htaccess recipes, tips and tricks post, so be sure to check them out.