Allow files to be listed when viewing a directory but protected (via HTTP authentication) when accessed directly

Question

I created a password protected directory using .htaccess and .htpasswd, but the files don't show up when I go to the directory URL.

I have this in my .htaccess:

#Protect multiple files
<FilesMatch "^(.*).csv$">
AuthName "Dialog prompt"                                                                                                                                                                                       
AuthType Basic
AuthUserFile /xxxxx/test                                                                                                                                              
#AuthUserFile ".htpasswd"                                                                                                                                                                                      
Require valid-user                                                                                                                                                                                             
</FilesMatch>       

UPDATE: I'm protecting the CSV files in that directory. They disappear from the directory listing when that auth directive is set. They show up when I remove it. I want to be able to at least see the files in the directory listing, but when accessing these files it would offer an auth prompt.

Answer 1

I'm protecting the CSV files in that directory. They disappear when that auth directive is set. It shows up when I remove it. I want to be able to at least see the files, but when accessing these files it would offer a auth prompt.

When a directory listing is generated using mod_autoindex, an internal subrequest is issued for each file that appears in the directory listing. When using a <FilesMatch "^(.*).csv$"> container then it is also being processed for these subrequests and consequently the entry of these files in the directory listing is also blocked.

An alternative to using the <FilesMatch> directive is to use an <If> expression and test against THE_REQUEST server variable instead. This is then only successful when the .csv files are actually requested by the user and not when browsing the directory listing.

For example:

# Directory listings (mod_autoindex) need to be enabled
Options +Indexes

# Protect CSV files from being accessed, but still visible in directory listing
<If "%{THE_REQUEST} =~ m#\.csv(\s|\?)#">
AuthName "Dialog prompt"                                                                                                                                                                                       
AuthType Basic
AuthUserFile /xxxxx/test                                                                                                                                              
Require valid-user                                                                                                                                                                                             
</If>

THE_REQUEST contains the first line of the HTTP request. eg. GET /foo/test.csv HTTP/1.1 (in the case of a GET request for /foo/test.csv) - and does not change throughout the request. So when requesting the directory itself, eg. /foo/ then the enclosed block is not processed and the listing of these files are not blocked.

The added complication is that THE_REQUEST contains the entire URL as requested, which could include a query string. So, the check for (\s|\?) (ie. whitespace or a literal ?) is to avoid the password check being bypassed by simply including a query string. eg. /foo/test.csv?anything.