apache .htaccess show directory index only to authenticated user - apache

i have this directory structure on my web server:
web
privatedir1
privatedir2
publicdir
file1
file2
file3
i want to set the following functionality using .htaccess files:
user 'admin' (authenticated) has unlimited access to all dirs (incl. dir indexes)
anyone else can download file1, file2, file3 but can not see listing (index) of publicdir
can you please describe how to achieve this with .htaccess files?
i know how to allow/disallow directory indexes but i can't figure out how to do it conditionaly (depending on whether the user is authenticated or not)
thank you very much.

Here is a very basic example, but that's how you can do it.
<Directory /srv/dev/>
AllowOverride All
Options +Indexes
AuthType Basic
AuthUserFile /srv/.htpasswd
Require valid-user
</Directory>
<Directory /srv/dev/apps/>
<If "%{REQUEST_URI} != '/'">
Require all granted
</If>
</Directory>

I think your answer might lie at this URL
htaccess allow access to specific user
"You'll need to create a user database/specific user you want to allow with the htpasswd utility. From there, in your htaccess file in the directory you want to limit, use:"
AuthUserFile /path/to/.htpasswd
AuthName "Authorization Form Title"
AuthType Basic
#Allow any valid user
require valid-user
#Allow only one user with specified username
require user username
"More information can be found at plenty of online references, this is one of the first that came up: http://www.apacheweek.com/features/userauth"

Related

htaccess adding password while enabling directories view in browser

Okay this might be a very obvious one however...
I have the following in my .htaccess file
AuthType Basic
AuthName "Message"
AuthUserFile /www/sites/5ce/448/domainname/folder.htpasswd
require valid-user
Which works fine for password protecting the folder it's placed in.
I also have in another .htaccess file (when I remove the first one)
Options +indexes
Which works fine for showing the directory folder and included files on browser.
When I put these together i get Error 500. How do you essentially enable directory view but password protected?
There shouldn't be a space between the + and the indexes.
Try this:
AuthType Basic
AuthName "Message"
AuthUserFile /www/sites/5ce/448/domainname/folder.htpasswd
require valid-user
Options +Indexes

Getting FilesMatch and Satisfy Any to work with sub directories

I'm trying to lock down a tree of directories (but allow through image files) using the following .htaccess rule
AuthType Basic
AuthName "Test Sites. *Please Contact xxxxxxx for access.*"
AuthUserFile /home/www/testsites/.htpasswd
Require valid-user
<FilesMatch "\.(gif|jpe?g|png)$">
Satisfy Any
Allow from all
</FilesMatch>
However, when I try it, I'm still being asked to authenticate against images if the image is not directly within the httpdocs directory.
In other words
http://www.testsites.com/test.jpg would be allowed through, but
http://www.testsites.com/sitename/images/test.jpg is asking for authentication.
Any idea why this might be happening?
Try this alternative approach based on mod_setenvif:
SetEnvIfNoCase Request_URI "\.(gif|jpe?g|png)$" ALLOWED
AuthType Basic
AuthName "Test Sites. *Please Contact xxxxxxx for access.*"
AuthUserFile /home/www/testsites/.htpasswd
Require valid-user
Satisfy any
Order deny,allow
Deny from all
Allow from env=ALLOWED
Not exactly sure why this is happening, as the <Files> and <FilesMatch> is supposed to get applied to all the subdirectories. You could try using SetEnvIf instead to match against the entire URI instead of relying on the apache core to first map the URL to a file:
SetEnvIf Request_URI \.(gif|jpe?g|png)$ no_auth=true
AuthType Basic
AuthName "Test Sites. *Please Contact xxxxxxx for access.*"
AuthUserFile /home/www/testsites/.htpasswd
Require valid-user
Satisfy Any
Deny from All
Allow from env=no_auth

Apache: Allow directory listing but require valid-user to download files

Is it possible with Apache to enable Indexes for a directory and be able to view every file, but at the same time, password protect only certain file types. When I use <FilesMatch "\.(type1|type2)"> they become hidden from the directory listing, but do become password protected. I just need them to be available in the directory listing because... reasons.
Here's what I got that does half the job.
<FilesMatch "\.(dat|mca|mcr)$">
AuthName "Protected Files"
AuthType Basic
AuthUserFile /home/web/maps/.htpasswd
require valid-user
</Files>
<Directory /home/web>
Options +Indexes
</Directory>
IndexOptions +showForbidden will allow autoindex listings for things that may eventually require authentication (or are forbidden for any other reason!)
Consider installing your own indexer; typically this is just a PHP script in the directory itself (index.php) that dynamically retrieves the directory listing. Just like Apache's mod_autoindex would, but potentially with nicer looks.
DIY:
listing files in folder showing index.php
Off-the-shelve:
http://autoindex.sourceforge.net/
http://pdirl.newroots.de/
http://www.evoluted.net/thinktank/web-development/php-directory-listing-script

directory with apache authentication but one file that open to everyone

I would like to have directory protected with apache authentication but one file so I did:
<Directory /path/to/dir>
AuthType Basic
AuthName "Private Pages"
AuthBasicProvider file
AuthUserFile /path/to/.htpasswd
require user userid
<FilesMatch "^exception.html$">
Order Allow,Deny
allow from All
</FilesMatch>
</Directory>
But it not work all the files ask for password.
I tried also with \ before the dot in the file name and with :
<File exception.html>
Nothing help it ask for a password for all the files including exception.html
What I'm doing wrong?
Thanks
You should check out this similar question on serverfault:
How to use basic auth for single file in otherwise forbidden Apache directory?

Exclude folder from htpasswd

I need to password protect a website with a username/password but need to keep the "/assets" folder accessible as files like images/css are being embedded on other sites.
I have this for the protection:
Order Allow,Deny
AuthType Basic
AuthName "Password"
AuthUserFile /var/www/.htpasswd
Require valid-user
Satisfy Any
How can I specify to protect everything bar the /assets folder?
You'd use, in a .htaccess file in the assets/ directory:
Satisfy Any
Order Allow,Deny
Allow from all
See the examples here: http://httpd.apache.org/docs/2.2/mod/core.html#require