Exclude one folder in htaccess protected directory

Question

I have a directory protected by htaccess. Here is the code I use now:

AuthName "Test Area"
Require valid-user
AuthUserFile "/***/.htpasswd"
AuthType basic

This is working fine. However, I now have a directory inside of this folder that I would like to allow anyone to access, but am not sure how to do it.

I know that it is possible to just move the files outside of the protected directory, but to make a long story short the folder needs to stay inside the protected folder, but be accessible to all.

How can I restrict access to the folder, but allow access to the subfolder?

Answer 1

I hope this one worked for you because i am using it for folder public/images

<If "%{REQUEST_URI} !~ m#^/public/images/*#">
    AuthName "Provider-Main Protected"
    AuthType Basic
    AuthUserFile /your_document_root_folder/.htpasswd
    Require valid-user
</If>

URL http://example.com/public/images allow anyone to access. Other folders have protections.

Answer 2

For Apache 2.4, create a .htaccess file with the following content:

Require all granted

Place it in the subdirectory you want to allow access to.

Answer 3

I don't have enough reputation to add a comment, but two of these answers use the pattern:

SetEnvIf Request_URI "(path/to/directory/)$" allow

to set an environment variable and then check to see if it exists. The part in the quotes is a regular expression. This statement is saying that any path that ENDS with "path/to/directory/" matches and should set the variable, such as "administrationpath/to/directory/", but not "path/to/directory/index.html". The "$" matches the end of the string.

A better match would be:

SetEnvIf Request_URI "^/path/to/directory/" allow

This means the URI path must begin with "/path/to/directory/" (the caret matches the start of the string) but can have additional content after the trailing slash. Note that this requires the trailing slash. To make it optional you could add two rules:

SetEnvIf Request_URI "^/path/to/directory$" allow
SetEnvIf Request_URI "^/path/to/directory/" allow

or, with more pattern matching:

SetEnvIf Request_URI "^/path/to/directory(/.*)?$" allow

The parenthesis and question mark make an optional group and ".*" means zero or more characters.

Personally, I'd either use require all granted 1 in the subfolder's .htaccess or:

require expr "%{REQUEST_URI} =~ m|^/path/to/directory(/.*)?$|" 2 in the parent's.

Answer 4

The accepted answer does not seem to run well with new Apache Versions, since it stopped working as soon as Apache Updates were rolled out on some of my customers servers.

I recommend the following approach:

AuthType Basic
AuthName "NO PUBLIC ACCESS"
AuthUserFile /xxx/.htpasswd

SetEnvIf REQUEST_URI "(path/to/directory/)$" ALLOW

<RequireAny>
  Require env ALLOW
  Require valid-user
</RequireAny>

Answer 5

There is no need to create a .htaccess in the subdirectory.

Just create as many variables as you need with SetEnvIf directive, and be sure the file or path name you want to allw/deny is part of the URI regex you pass to SetEnvIf, exactly like @Sumurai8 said, but set the regex to fit your needs, for the URI should start/end/contain a set of characters............

Answer 6

According to this article you can accomplish this by using SetEnvIf. You match each of the folders and files you want to grand access to and define an environment variable 'allow' for them. Then you add a condition that allows access if this environment variable is present.

You need to add the following directives to your .htaccess.

SetEnvIf Request_URI "(path/to/directory/)$" allow
SetEnvIf Request_URI "(path/to/file\.php)$"  allow
Order allow,deny
Allow from env=allow
Satisfy any

Answer 7

Just create an .htaccess file in the subdirectory with the content:

Satisfy any