Password protecting AutoIndex but not static files with .htaccess

Question

I have publicly accessible files on my webserver. I'd like to enable AutoIndexing (Options +Indexes) but I'd like to require a password in order to view these listings. I have no problem setting up the Auth but there are complications with the public files and the DirectoryIndex files in that if someone also asks for a directory, and there is an DirectoryIndex file, they shouldn't have to enter a password for this. Only the AutoIndexing should require a password for security reasons.

Here is what I came up with:

Options +Indexes
Options +FollowSymLinks

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} -d
RewriteCond %{REQUEST_FILENAME}index.php -f
RewriteRule ^.*$ %{REQUEST_URI}index.php [R,NE,L]
RewriteCond %{REQUEST_FILENAME} -d
RewriteCond %{REQUEST_FILENAME}index.html -f
RewriteRule ^.*$ %{REQUEST_URI}index.html [R,NE,L]
RewriteCond %{REQUEST_FILENAME} -d
RewriteCond %{REQUEST_FILENAME}index.htm -f
RewriteRule ^.*$ %{REQUEST_URI}index.htm [R,NE,L]

<FilesMatch "^$">
AuthName "My Auth Name"
AuthType Basic
AuthUserFile /path/to/my/.htpasswd
Require valid-user
</FilesMatch>

The FilesMatch bit works fine. Any request for a directory is asked to log in but normal files pass through. That's the easy bit, the hard part is getting the DirectoryIndexes to render without logging in. The rewrite at the top was my failed attempt to redirect the request before it asked for the auth, but no dice, it asks for the auth first no matter what.

I've done about 6 hours of research on this and at this point I'm about to give up. Any help would be appreciated.

Edit: here is an example directory structure.

/images/blah.jpg   <- does not require a password
/images/           <- requires a password to view listing
/index.html        <- does not require a password
/                  <- does not require a password because a DirectoryIndex file exists (index.html)

Answer 1

I know this is a gravedig but I hope it might help anyone Googling out there (such as myself -- I'm brand new to all this htaccess stuff).

I wanted to do something similar, albeit simpler I think - I wanted to continue use of the Apache autoindex when accessing a directory, but have it password protected (rather than disable it altogether, for my own benefit) - yet at the same time, have any files freely accessible if linked directly, so people can access them without the need for a username and password.

The fundamental "Password a directory" trick widely shown around the internet is this:

AuthType Basic
AuthName "restricted area"
AuthUserFile /path/to/.htpasswd
require valid-user

A simple addition limiting the scope of the require attribute achieved what I was after:

AuthType Basic
AuthName "restricted area"
AuthUserFile /path/to/.htpasswd
<Files "">
require valid-user
</Files>

If I attempt to access a directory with no index file (thus autoindexed), I have to input a username and password.

If I attempt to access a directory with a index file, it loads up as normal - no u/p required.

If I attempt to access a file directly, it loads up as normal, as above, no u/p required.

As probably expected, it impacts likewise on all subfolders.

Seems to behave this way and work just fine based on my testing thus far.

Answer 2

Just remove the <FilesMatch> block to apply it on all requests and not just those requesting directories.

Options +Indexes +FollowSymLinks

RewriteEngine On
…

AuthName "My Auth Name"
AuthType Basic
AuthUserFile /path/to/my/.htpasswd
Require valid-user

---

Edit    Why don’t you just enable indexing for those directories you want to allow it for?