AutoIndex password protection but not static files with .htaccess
I have public files on my web server. I would like to enable AutoIndexing (Options + Indexes), but I would like to get a password to view these lists. I have no problem configuring Auth, but there are problems with public files and DirectoryIndex files, if someone also asks for a directory and there is a DirectoryIndex file, they don't need to enter a password to do this. For security purposes, only AutoIndexing requires a password.
This is what I came up with:
Options +Indexes
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} -d
RewriteCond %{REQUEST_FILENAME}index.php -f
RewriteRule ^.*$ %{REQUEST_URI}index.php [R,NE,L]
RewriteCond %{REQUEST_FILENAME} -d
RewriteCond %{REQUEST_FILENAME}index.html -f
RewriteRule ^.*$ %{REQUEST_URI}index.html [R,NE,L]
RewriteCond %{REQUEST_FILENAME} -d
RewriteCond %{REQUEST_FILENAME}index.htm -f
RewriteRule ^.*$ %{REQUEST_URI}index.htm [R,NE,L]
<FilesMatch "^$">
AuthName "My Auth Name"
AuthType Basic
AuthUserFile /path/to/my/.htpasswd
Require valid-user
</FilesMatch>
the FilesMatch bit works fine. Any requests for a directory are asked to login, but regular files go through. This is the easy bit, the tricky part is getting the Indexes to render without logging in. The rewrite at the top was my failed attempt to redirect the request before it asked for auth, but not dice, it asks for auth first no matter what.
I've done about 6 hours of research on this and at this point I'm going to give up. Any help would be appreciated.
Edit: Here's an example of a directory structure.
/images/blah.jpg <- does not require a password
/images/ <- requires a password to view listing
/index.html <- does not require a password
/ <- does not require a password because a DirectoryIndex file exists (index.html)
source to share
Just remove the block <FilesMatch>
to apply it to all requests, not just the requesting directories.
Options +Indexes +FollowSymLinks
RewriteEngine On
…
AuthName "My Auth Name"
AuthType Basic
AuthUserFile /path/to/my/.htpasswd
Require valid-user
Edit . Why don't you just turn on indexing for the directories you want to enable?
source to share
I know this is a grave, but I hope this can help anyone Googling out there (e.g. I'm - I'm brand new to all this htaccess stuff).
I wanted to do something like this, albeit easier than I think - I wanted to continue using Apache autoindex when accessing a directory, but have it password protected (instead of disabling it entirely, for my own benefit) - still at the same time, there are any files freely available as long as they are linked directly, so people can access them without the need for a username and password.
The fundamental "Password a directory" trick widely known on the Internet is:
AuthType Basic
AuthName "restricted area"
AuthUserFile /path/to/.htpasswd
require valid-user
A simple addition to limit the scope of the require attribute reaching after:
AuthType Basic
AuthName "restricted area"
AuthUserFile /path/to/.htpasswd
<Files "">
require valid-user
</Files>
If I try to access a directory without an index file (thus autoindex), I have to enter a username and password.
If I try to access the directory with the index file it loads as usual - no u / p required.
If I try to access the file directly, it loads as normal as above, no u / p required.
As expected, it also affects all subfolders.
It seems that this is how we behave and work fine based on my testing.
source to share