Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: Basic Auth directory hidden |
|
Author |
|
bogus
Joined: 18 Aug 2020 Posts: 2 Location: changing
|
Posted: Sat 08 Apr '23 21:50 Post subject: Basic Auth directory hidden |
|
|
I have several directory and file links in an auto-indexed server root. I want one of the directories listed be viewable by the public but when someone clicks on the directory link to access the underlying data (aka other directories and/or files) I want these resources to be protected by an authentication mechanism. I hope this describes the situation precise enough to understand what I'm trying to do. To define authentication (auth_basic) for a directory is no issue but when I define a <Directory> directive and put the authentication directives inside, the directory I'd like to password protect but be public viewable disappears no matter how I define Require or similar directives.
See the following example:
Code: | <Directory "/some/directory/testing">
AllowOverride AuthConfig
AuthType Basic
AuthName "Authentication required"
AuthUserFile /some/other/.htpasswd
#AuthBasicProvider dbm
#AuthDBMUserFile
Require valid-user
</Directory> |
To avoid confusion or unnecessary questions/replies:
the AuthUserFile is not located in a place where a browser couldn't access it.
The authentication mechanism is working when I put the (under these circumstances) hidden directory name in the browser. I.e.:
/ServerName/testing
/some/directory is the server root.
All files and directories in the auto-indexed root are otherwise accessible.
I guess the correct answer to the quiz will be an easy one, or?
Thanks in advance!
Last edited by bogus on Sun 09 Apr '23 11:42; edited 3 times in total |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7375 Location: Germany, Next to Hamburg
|
Posted: Sat 08 Apr '23 23:40 Post subject: |
|
|
For files you can use FilesMatch
Code: |
<Directory "/some/directory/testing">
<FilesMatch "\.(jpg|zip)$">
AuthType Basic
AuthName "Authentication required"
AuthUserFile /some/other/.htpasswd
Require valid-user
</FilesMatch>
</Directory>
|
|
|
Back to top |
|
bogus
Joined: 18 Aug 2020 Posts: 2 Location: changing
|
Posted: Sun 09 Apr '23 4:46 Post subject: |
|
|
It's a directory and an underlying, huge directory structure with hundreds,
probably more than thousand of files I want to password protect.
Everything works fine except, that the directory 'testing' isn't visible when
browsing the auto-indexed root directory... |
|
Back to top |
|
tangent Moderator
Joined: 16 Aug 2020 Posts: 349 Location: UK
|
Posted: Mon 10 Apr '23 20:30 Post subject: |
|
|
I believe your problem stems from the fact that, to be able to index them as a viewable public directory, the autoindex feature needs access to the very files you're trying to protect.
However, I think I've found a solution that builds on James' reply using FilesMatch, viz:
Code: | <Directory "/some/directory/testing">
Require all granted
<FilesMatch "(?i)^(.+)$">
AuthType Basic
AuthName "Authentication required"
AuthUserFile /some/other/.htpasswd
Require valid-user
</FilesMatch>
<FilesMatch "(?i)^(index.php|index.htm|index.html)$">
Require all granted
</FilesMatch>
IndexOptions ShowForbidden
</Directory>
<DirectoryMatch "^/some/directory/testing/(.+)/">
AllowOverride AuthConfig
AuthType Basic
AuthName "Authentication required"
AuthUserFile /some/other/.htpasswd
Require valid-user
</DirectoryMatch> |
Firstly, in your public <Directory> section, define a <FilesMatch> regular expression that picks up all the files you want to password protect in your 'testing' directory. I've picked all non-null filenames. Next, define a further <FilesMatch> directive to grant access to all the file types listed in DirectoryIndex. This is just index.html by default, but you may have extended this, e.g. index.php. Finally, add the little known ShowForbidden option to the IndexOptions. These constructs should let you anonymously view your public directory listing, whilst protecting access to files within that directory.
Next, declare a DirectoryMatch section to password protect access all content in any subdirectory below your public 'testing' directory.
When I test these constructs, I get the functionality I believe your looking for. |
|
Back to top |
|
|
|
|
|
|