If you are using the Upsun's native HTTP Access Control (Basic Authentication) to protect a development or staging environment, you cannot disable it for a specific URL path (such as /api/ or /admin/api) via your .platform.app.yaml or .upsun/config.yaml configuration.
The Upsun's native access control applies globally to the entire environment, which will block frontend applications or external services trying to reach your API.
To protect your site while leaving specific API routes public, you must disable the environment-level HTTP Access Control and use one of the following alternative methods.
Alternative Solutions
1. App-Level Authentication (Recommended)
The most robust solution is to handle the Basic Authentication within your application's code (e.g., Shopware, Laravel, Express).
By turning off the Upsun's access control and passing all traffic to your application, you can use your framework's routing or middleware to enforce password protection on standard web pages while explicitly bypassing the auth check for your API routes.
2. CDN-Level Authentication (Fastly)
If you are using a Content Delivery Network like Fastly, you can implement Basic Authentication at the edge.
Using Fastly's custom Varnish Configuration Language (VCL), you can write logic that prompts for a password on most requests, but explicitly allows requests starting with /api/ to pass through unauthenticated.
Documentation: Fastly Guide: Basic Authentication
3. Varnish Service
If you do not want to use a CDN or handle it in your app code, you can add a Varnish service directly to your project.
Similar to the Fastly approach, you can write custom VCL to inspect the URL path and enforce Basic Authentication only on non-API routes before the traffic reaches your application container.
Comments
Please sign in to leave a comment.