Apache - match file in all directories - apache

Looking for some guidance on how I can match a specific file in a wildcard of directories.
Example - the rule needs to apply to:
/path/to/folder1/directory/index.php
/path/to/folder2/directory/index.php
/path/to/folder3/directory/index.php
Here is an example of the configuration made. The idea is to ensure that they are prompted for a username/password if this file is accessed:
<FilesMatch "/path/to/*/directory/index.php">
AuthName "Login"
AuthType Basic
AuthUserFile /path/to/.htpasswd
require valid-user
However, that doesn't seem to be working.
EDIT
After the first answer response, I changed the code. The primary purpose of this is to ensure that if anyone accesses the administrator/index.php file, they are asked for username and password via mod_security. Any other index.php files recursive to the administrator directory should not be prompted:
<Directory "/location/to/.*/administrator">
<Files "index.php">
AuthName "Login"
AuthType Basic
AuthUserFile /path/to/.htpasswd
require valid-user
</Files>
</Directory>
Does that do the trick?

Like the <Files> directive, the <FilesMatch> directive operates only on the basename of the file, not on the complete path, so specifying a path name wont work.
Other then that, FilesMatch uses regular expressions by default (<FilesMatch "expression"> is basically the same as <Files ~ "expression">), so "path/*" would actually match path followed by an arbitrary number of slashes, what you ment would be "path/.*" - but like I said, paths don't work with FilesMatch and Files.
But the directives already apply to all subdirectories, so if you put a .htaccess file in the common base directory, it will apply to all subdirectories (unless it's overridden later):
<Files "index.php">
...
</Files>

Related

Permitting access to a dynamically generated folder/file with .htaccess

I have a site (running on a framework, so folders are virtual) with access blocked via .htaccess/.htpasswd, but I want to permit public access to one folder/file. I've tried all of the solutions suggested elsewhere but so far nothing has worked.
Here's the basic .htaccess contents:
AuthUserFile /var/www/vhosts/mysite.com/.htpasswd
AuthName "MySite Restricted Area"
AuthType Basic
Require valid-user
I want to allow access to the URL /api/user/create. I have tried the following variations, all to no effect:
<Files "create">
Allow from all
</Files>
<FilesMatch create$>
Allow from all
</FilesMatch>
SetEnvIf Request_URI "create" allow
Deny from all
Allow from env=allow
It seems like the filename create isn't recognised as a valid file, but I have no idea why the last one doesn't work. :(
The problem is you are using virtual folders. <Files *> only takes effect for files on the disk. You should use the <Location> directive instead.
https://httpd.apache.org/docs/2.4/en/mod/core.html#location

Apache: Allow directory listing but require valid-user to download files

Is it possible with Apache to enable Indexes for a directory and be able to view every file, but at the same time, password protect only certain file types. When I use <FilesMatch "\.(type1|type2)"> they become hidden from the directory listing, but do become password protected. I just need them to be available in the directory listing because... reasons.
Here's what I got that does half the job.
<FilesMatch "\.(dat|mca|mcr)$">
AuthName "Protected Files"
AuthType Basic
AuthUserFile /home/web/maps/.htpasswd
require valid-user
</Files>
<Directory /home/web>
Options +Indexes
</Directory>
IndexOptions +showForbidden will allow autoindex listings for things that may eventually require authentication (or are forbidden for any other reason!)
Consider installing your own indexer; typically this is just a PHP script in the directory itself (index.php) that dynamically retrieves the directory listing. Just like Apache's mod_autoindex would, but potentially with nicer looks.
DIY:
listing files in folder showing index.php
Off-the-shelve:
http://autoindex.sourceforge.net/
http://pdirl.newroots.de/
http://www.evoluted.net/thinktank/web-development/php-directory-listing-script

Exclude folder from htpasswd

I need to password protect a website with a username/password but need to keep the "/assets" folder accessible as files like images/css are being embedded on other sites.
I have this for the protection:
Order Allow,Deny
AuthType Basic
AuthName "Password"
AuthUserFile /var/www/.htpasswd
Require valid-user
Satisfy Any
How can I specify to protect everything bar the /assets folder?
You'd use, in a .htaccess file in the assets/ directory:
Satisfy Any
Order Allow,Deny
Allow from all
See the examples here: http://httpd.apache.org/docs/2.2/mod/core.html#require

Allow some sub-directories of directiories that have restricted access by .htaccess

with .htaccess i created auth limitation on some directories, and i want to allow access to only one of their subdirectory. can you help me how to achieve that?
tnx in adv!
UPDATED: my current .htaccess contains next:
AuthUserFile /var/www/mysite/httpdocs/passwds/.htpasswd
AuthGroupFile /dev/null
AuthName "In development..."
AuthType Basic
<Limit GET POST>
require valid-user
</Limit>
If you put .htaccess in one directory, that specific directory and all its children, receive same policy. That means, if you put in any children directory another .htaccess file, it can modify any previously defined policy, same as its parent .htaccess.
Add "Satisfy Any" to the child .htaccess
Order allow,deny
Allow from all
Satisfy any
See apache "Satisfy" docs, it SHOULD work, as this is only solution.

Have sub directory not be password protected using Apache's .htaccess

Currently on my server I have a .htaccess file in the root of my web directory -
AuthUserFile /path/to/root/www/.htpasswd
AuthType Basic
AuthName "Economic Complexity Observatory"
Require valid-user`
And this works great properly password protecting my whole site. The only problem is that I have this one sub directory that I DON'T WANT to to be password protected. Is there a way to specify that one specific directory will be free of password protection?
There is a way just using .htaccess. I saw this answer elsewhere
Just create an .htaccess file in the non-password protected subdirectory with the content:
Satisfy any
and that's it.
It worked for me.
If you have access to httpd.conf you can use the following (the "directory" directive cannot be used in .htaccess):
<Directory />
AuthUserFile /path/to/root/www/.htpasswd
AuthType Basic
AuthName "Economic Complexity Observatory"
Require valid-user
</Directory>
<Directory /path/to/unprotected/dir>
Satisfy All
</Directory>
I am not aware of a way to do it with htaccess without putting a separate .htaccess in each directory excluding the directory that should not be protected.