Home / server / Questions / 151240
Accepted
mit
Asked: 2010-06-15 14:41:56 +0800 CST

How to use basic auth for single file in otherwise forbidden Apache directory?

  • 772

I want to allow access to a single file in a directory that is otherwise forbidden.

This did not work:

<VirtualHost 10.10.10.10:80>
  ServerName example.com

  DocumentRoot /var/www/html

  <Directory /var/www/html>
    Options FollowSymLinks
    AllowOverride None
    order allow,deny
    allow from all
  </Directory>

  # disallow the admin directory: 
  <Directory /var/www/html/admin>
    order allow,deny
    deny from all
  </Directory>

  # but allow this single file:: 
  <Files      /var/www/html/admin/allowed.php>
      AuthType basic
      AuthName "private area"
      AuthUserFile /home/webroot/.htusers
      Require user admin1
  </Files>

  ...
</VirtualHost>

When I visit http://example.com/admin/allowed.php I get the Forbidden message of the http://example.com/admin/ directory, but not the browser login popup from the basic auth, so the basic auth does not work on the file. How can I make an exception for allowed.php?

If not possible, maybe I could enumerate all forbidden files in another Files directive?

Let's say admin/ contains also user.php and admin.php which should be forbidden in this virtual host.

Edit: I also tried the following modification, trying to follow advice from Ignacio's answer, with the same result 'Forbidden':

  ...

  # disallow the admin directory: 
  <Directory /var/www/html/admin>
    order allow,deny
    deny from all
  </Directory>

  # but allow this single file:: 
  <Files      /var/www/html/admin/allowed.php>
      order allow,deny
      allow from all
      AuthType basic
      AuthName "private area"
      AuthUserFile /home/webroot/.htusers
      Require user admin1
      satisfy all
  </Files>
  ...
apache-2.2 security virtualhost http-authentication

2 Answers

  1. Best Answer

    Try this:

    <Directory /var/www/html/admin>
  <Files allowed.php>
    AuthType basic
    AuthName "private area"
    AuthUserFile /home/webroot/.htusers
    Require user admin1
  </Files>
  order allow,deny
  deny from all
  satisfy any
</Directory>

    Files nested inside a Directory will only apply therein so your code block is more logically organized, and I think using the 'Satisfy any' will allow them to be merged as planned. I'm not sure if it's actually required so try it with and without the satisfy line...

    • 14

  2. I'm not sure the solution with <Files xxx> actually works well, as the Require doc page states that it doesn't apply to Files 

    Context:    directory, .htaccess

    Instead what the apache doc suggests is to create a separate directory for the file:

    Removing controls in subdirectories

    The following example shows how to use the Satisfy directive to disable access controls in a subdirectory of a protected directory. This technique should be used with caution, because it will also disable any access controls imposed by mod_authz_host.

    <Directory /path/to/protected/>
    Require user david
</Directory>
<Directory /path/to/protected/unprotected>
    # All access controls and authentication are disabled
    # in this directory
    Satisfy Any
    Allow from all
</Directory>
    • 2