HowTo: Configure basic .htaccess authentication

Edit on GitHub

This document describes how to configure basic .htaccess authentication for the Storefront and the Back Office.

Important

You can’t protect Glue endpoints with basic AUTH, and we do not recommend using the basic AUTH for production environments. Instead of the basic AUTH, consider other options, like IP allowlisting.

To set up the .htaccess authentication, see the steps in the following sections.

Define login details and endpoints

  1. Add login details to deploy.*.yml of the desired environment as follows:
version: "0.1"

x-frontend-auth: &frontend-auth
    auth:
        engine: basic
        users:
            - username: {secure_username} # Replace the placeholder and the brackets with the actual username
              password: {secure_password} # Replace the placeholder and the brackets with the actual password
  1. In the same deploy.*.yml, define the endpoints that must be protected by adding <<: *frontend-auth to each desired endpoint as follows:
...
groups:
    EU:
        region: EU
        applications:
            yves_eu:
                application: yves
                endpoints:
                    date-time-configurator-example.spryker.local:
                        entry-point: Configurator
                    yves.de.spryker.local:
                        store: DE
                        <<: *frontend-auth
                        services:
...
  1. Bootstrap the Docker setup with the adjusted deploy file:
docker/sdk boot deploy.*.yml
  1. Build and start the instance:
docker/sdk up
Verification

Open a protected endpoint and make sure that you are prompted to enter the defined username and password.

You’ve configured basic authentication.

Exclude IP addresses from .htaccess authentication

To allow clients with desired IP addresses to bypass the .htaccess authentication, adjust the deploy.*.yml of the desired environment as follows:

version: "0.1"

x-frontend-auth: &frontend-auth
    auth:
        engine: basic
        users:
            - username: {secure_username} # Replace the placeholder and the brackets with the actual username.
              password: {secure_password} # Replace the placeholder and the brackets with the actual password.
        exclude:
              {ip_address} # Replace the placeholder and the brackets with the actual IP address.
Verification

Open a protected endpoint from the excluded IP address and make sure that you are not prompted to enter the login details.

You’ve excluded IP addresses from authentication.