Configure basic .htaccess authentication
Edit on GitHubThis document describes how to configure basic .htaccess
authentication for the Storefront and the Back Office.
You can’t protect Glue endpoints with basic AUTH, and we do not recommend using the basic AUTH for production environments. Instead of the basic AUTH, consider other options, like IP allowlisting.
To set up the .htaccess
authentication, see the steps in the following sections.
Define login details and endpoints
- Add login details to
deploy.*.yml
of the desired environment as follows:
version: "0.1"
x-frontend-auth: &frontend-auth
auth:
engine: basic
users:
- username: {secure_username} # Replace the placeholder and the brackets with the actual username
password: {secure_password} # Replace the placeholder and the brackets with the actual password
- In the same
deploy.*.yml
, define the endpoints that must be protected by adding<<: *frontend-auth
to each desired endpoint as follows:
...
groups:
EU:
region: EU
applications:
yves_eu:
application: yves
endpoints:
date-time-configurator-example.spryker.local:
entry-point: Configurator
yves.de.spryker.local:
store: DE
<<: *frontend-auth
services:
...
- Bootstrap the Docker setup with the adjusted deploy file:
docker/sdk boot deploy.*.yml
- Build and start the instance:
docker/sdk up
Open a protected endpoint and make sure that you are prompted to enter the defined username and password.
You’ve configured basic authentication.
Exclude IP addresses from .htaccess authentication
To allow clients with desired IP addresses to bypass the .htaccess
authentication, adjust the deploy.*.yml
of the desired environment as follows:
version: "0.1"
x-frontend-auth: &frontend-auth
auth:
engine: basic
users:
- username: {secure_username} # Replace the placeholder and the brackets with the actual username.
password: {secure_password} # Replace the placeholder and the brackets with the actual password.
exclude:
{ip_address} # Replace the placeholder and the brackets with the actual IP address.
Open a protected endpoint from the excluded IP address and make sure that you are not prompted to enter the login details.
You’ve excluded IP addresses from authentication.
Using allow-listing to protect endpoints and application parts
As an alternative to basic authentication, you can use the deny and allowlist engines to determine which IPs can communicate with different application parts. The following example allows the AWS application environment IPs and the specified IPs to access the backoffice
application.
boffice:
application: backoffice
endpoints:
backoffice.example.com.:
store: TR
<<: *real-ip
auth:
engine: whitelist
include:
- '${ALLOWED_IP}' # AWS gateway
- 195.xx.xx.xx
- 128.xx.xx.xx
- 128.xx.xx.xx
You can use the same configuration for other apllication parts, such as backgw
or boffice
. Make sure to thoroughly test such changes in non-production environments to prevent connectivity issues in your application. For configuration reference on allow- and deny-listing, see groups: applications:.
Thank you!
For submitting the form