apache - htaccess exclude one url from Basic Auth

Question

I need to exclude one Url (or even better one prefix) from normal htaccess Basic Auth protection. Something like /callbacks/myBank or /callbacks/.* Do you have any hints how to do it?

What I'm not looking for is how to exclude a file. This has to be url (as this is solution based on PHP framework, and all urls are redirected with mod_rewrite to index.php). So there is no file under this URL. Nothing.

Some of those urls are just callbacks from other services (No IP is not known so I cannot exclude based on IP) and they cannot prompt for User / Password.

Current definition is as simple as:

AuthName "Please login."
AuthGroupFile /dev/null
AuthType Basic
AuthUserFile /xxx/.htpasswd
require valid-user 

Answer 1

Using SetEnvIf, you can create a variable when the request starts with some path, then use the Satisfy Any directive to avoid having to login.

# set an environtment variable "noauth" if the request starts with "/callbacks/"
SetEnvIf Request_URI ^/callbacks/ noauth=1

# the auth block
AuthName "Please login."
AuthGroupFile /dev/null
AuthType Basic
AuthUserFile /xxx/.htpasswd

# Here is where we allow/deny
Order Deny,Allow
Satisfy any
Deny from all
Require valid-user
Allow from env=noauth

The allow/deny chunk of directives says that deny access for EVERYONE, except when there is a valid-user (successful BASIC auth login) or if the noauth variable is set.