Drupal + .htpasswd: How to lock down a dev site but allow access to single path

So I have a development site setup running Drupal. I've locked the site down with basic HTTPAuth + htpasswd to keep out baddies.

The problem is that a single node, a webform, needs to be accessible on this dev site from the live site.

My question is: because of Drupal's convoluted bootstrapping process how would I go about allowing access to only this single file/URL?

My vhost config for htpasswd:

<Directory />
   AuthUserFile /var/www/.htpasswd
   AuthName "my radbad dev site"
   AuthType Basic
   Require valid-user
</Directory>

I've tried something like th开发者_运维问答e following without success:

<Location "/node/1334">
   Allow from all
   Satisfy any
</Location>

You can't do it like that, because the webform isn't a file, it's dynamically generated from info you gave Drupal (which it put in the DB). All Drupal URIs (apart from your uploaded files) are index.php sending you to the right place. There's no way to tell httpauth that sometimes index.php may be accessed freely and sometimes it requires auth.

There are several options for controlling access via a Drupal module, or (if your live site is Drupal) you could just give it the same webform, but no amount of tweaking around with httpauth will solve your problem.

<Location>-directives are applied after .htaccess is processed. This means, mod_rewrite already did its thing an the URL is now /index.php?q=node/1334. This is bad, because <Location> cannot be used for configurations based on the query string. See <Location> directive and How the sections are merged for details.

You will have to come up with a totally different solution, like making the Drupal database available under some other URL, that is not accessible from outside.

If you want to go the HTTP authentication route, consider the Secure Site module instead of editing .htaccess and creating a .htpasswd file. That's an error-prone process, while Secure Site gives you a form which you can use to type in a path you want excluded from securing. Even better, it uses the Drupal authentication system, so you can deny/allow people to the site based on Drupal roles and permissions.