Hiding a HTTP Auth-Realm by sending 404 to non-known IPs?

Posted by zhenech on Server Fault See other posts from Server Fault or by zhenech
Published on 2013-11-06T11:15:41Z Indexed on 2013/11/06 15:57 UTC
Read the original article Hit count: 278

I have an Apache (2.2) serving a web-app on example.com. That web-app has a debug-page reachable via example.com/debug. /debug is currently protected with a HTTP basic auth. As there is only a very small user-base who has access to the debug-page, I would like to hide it based on IP address and return 404 to clients not accessing from our VPN.

Serving a 404 based on IP-address only is easy and is described in http://serverfault.com/a/13071. But as soon I add authentication, the users see a 401 instead of a 404.

Basically, what I need is:

if ($REMOTE_ADDR ~ 10.11.12.*):
  do_basic_auth (aka return 401)
else:
  return 404

© Server Fault or respective owner

Related posts about apache2

Related posts about http-basic-authentication