logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Basic Auth directory hidden
Author
bogus



Joined: 18 Aug 2020
Posts: 2
Location: changing

PostPosted: Sat 08 Apr '23 21:50    Post subject: Basic Auth directory hidden Reply with quote

I have several directory and file links in an auto-indexed server root. I want one of the directories listed be viewable by the public but when someone clicks on the directory link to access the underlying data (aka other directories and/or files) I want these resources to be protected by an authentication mechanism. I hope this describes the situation precise enough to understand what I'm trying to do. To define authentication (auth_basic) for a directory is no issue but when I define a <Directory> directive and put the authentication directives inside, the directory I'd like to password protect but be public viewable disappears no matter how I define Require or similar directives.

See the following example:

Code:
<Directory "/some/directory/testing">
    AllowOverride AuthConfig
    AuthType Basic
    AuthName "Authentication required"
    AuthUserFile /some/other/.htpasswd
    #AuthBasicProvider dbm
    #AuthDBMUserFile
    Require valid-user
</Directory>


To avoid confusion or unnecessary questions/replies:

the AuthUserFile is not located in a place where a browser couldn't access it.
The authentication mechanism is working when I put the (under these circumstances) hidden directory name in the browser. I.e.:

/ServerName/testing

/some/directory is the server root.
All files and directories in the auto-indexed root are otherwise accessible.

I guess the correct answer to the quiz will be an easy one, or?
Thanks in advance!


Last edited by bogus on Sun 09 Apr '23 11:42; edited 3 times in total
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Sat 08 Apr '23 23:40    Post subject: Reply with quote

For files you can use FilesMatch

Code:

<Directory "/some/directory/testing">
    <FilesMatch "\.(jpg|zip)$">
        AuthType Basic
        AuthName "Authentication required"
        AuthUserFile /some/other/.htpasswd
        Require valid-user
    </FilesMatch>
</Directory>
Back to top
bogus



Joined: 18 Aug 2020
Posts: 2
Location: changing

PostPosted: Sun 09 Apr '23 4:46    Post subject: Reply with quote

It's a directory and an underlying, huge directory structure with hundreds,
probably more than thousand of files I want to password protect.
Everything works fine except, that the directory 'testing' isn't visible when
browsing the auto-indexed root directory...
Back to top
tangent
Moderator


Joined: 16 Aug 2020
Posts: 348
Location: UK

PostPosted: Mon 10 Apr '23 20:30    Post subject: Reply with quote

I believe your problem stems from the fact that, to be able to index them as a viewable public directory, the autoindex feature needs access to the very files you're trying to protect.

However, I think I've found a solution that builds on James' reply using FilesMatch, viz:

Code:
<Directory "/some/directory/testing">
    Require all granted

    <FilesMatch "(?i)^(.+)$">
        AuthType Basic
        AuthName "Authentication required"
        AuthUserFile /some/other/.htpasswd
        Require valid-user
    </FilesMatch>

    <FilesMatch "(?i)^(index.php|index.htm|index.html)$">
        Require all granted
    </FilesMatch>

    IndexOptions ShowForbidden
</Directory>

<DirectoryMatch "^/some/directory/testing/(.+)/">
    AllowOverride AuthConfig
    AuthType Basic
    AuthName "Authentication required"
    AuthUserFile /some/other/.htpasswd
    Require valid-user
</DirectoryMatch>

Firstly, in your public <Directory> section, define a <FilesMatch> regular expression that picks up all the files you want to password protect in your 'testing' directory. I've picked all non-null filenames. Next, define a further <FilesMatch> directive to grant access to all the file types listed in DirectoryIndex. This is just index.html by default, but you may have extended this, e.g. index.php. Finally, add the little known ShowForbidden option to the IndexOptions. These constructs should let you anonymously view your public directory listing, whilst protecting access to files within that directory.

Next, declare a DirectoryMatch section to password protect access all content in any subdirectory below your public 'testing' directory.

When I test these constructs, I get the functionality I believe your looking for.
Back to top


Reply to topic   Topic: Basic Auth directory hidden View previous topic :: View next topic
Post new topic   Forum Index -> Apache