How to use basic auth for single file in otherwise forbidden Apache directory?

Question

I want to allow access to a single file in a directory that is otherwise forbidden.

This did not work:

<VirtualHost 10.10.10.10:80>
  ServerName example.com

  DocumentRoot /var/www/html

  <Directory /var/www/html>
    Options FollowSymLinks
    AllowOverride None
    order allow,deny
    allow from all
  </Directory>

  # disallow the admin directory: 
  <Directory /var/www/html/admin>
    order allow,deny
    deny from all
  </Directory>

  # but allow this single file:: 
  <Files      /var/www/html/admin/allowed.php>
      AuthType basic
      AuthName "private area"
      AuthUserFile /home/webroot/.htusers
      Require user admin1
  </Files>

  ...
</VirtualHost>

When I visit http://example.com/admin/allowed.php I get the Forbidden message of the http://example.com/admin/ directory, but not the browser login popup from the basic auth, so the basic auth does not work on the file. How can I make an exception for allowed.php?

If not possible, maybe I could enumerate all forbidden files in another Files directive?

Let's say admin/ contains also user.php and admin.php which should be forbidden in this virtual host.

Edit: I also tried the following modification, trying to follow advice from Ignacio's answer, with the same result 'Forbidden':

  ...

  # disallow the admin directory: 
  <Directory /var/www/html/admin>
    order allow,deny
    deny from all
  </Directory>

  # but allow this single file:: 
  <Files      /var/www/html/admin/allowed.php>
      order allow,deny
      allow from all
      AuthType basic
      AuthName "private area"
      AuthUserFile /home/webroot/.htusers
      Require user admin1
      satisfy all
  </Files>
  ...

The `` reference only takes a filename, not a path, btw. – Gavin C May 19 '11 at 21:49 — Gavin C, May 19 '11 at 21:49

score 14 · Accepted Answer · answered Jun 15 '10 at 06:57

Try this:

<Directory /var/www/html/admin>
  <Files allowed.php>
    AuthType basic
    AuthName "private area"
    AuthUserFile /home/webroot/.htusers
    Require user admin1
  </Files>
  order allow,deny
  deny from all
  satisfy any
</Directory>

Files nested inside a Directory will only apply therein so your code block is more logically organized, and I think using the 'Satisfy any' will allow them to be merged as planned. I'm not sure if it's actually required so try it with and without the satisfy line...

Just want to confirm that this does work - I hope that mit will return and select this answer. — Gavin C, May 19 '11 at 21:48

score 2 · Answer 2 · answered Aug 02 '13 at 08:42

I'm not sure the solution with <Files xxx> actually works well, as the Require doc page states that it doesn't apply to Files

Context:    directory, .htaccess

Instead what the apache doc suggests is to create a separate directory for the file:

Removing controls in subdirectories

The following example shows how to use the Satisfy directive to disable access controls in a subdirectory of a protected directory. This technique should be used with caution, because it will also disable any access controls imposed by mod_authz_host.

<Directory /path/to/protected/>
    Require user david
</Directory>
<Directory /path/to/protected/unprotected>
    # All access controls and authentication are disabled
    # in this directory
    Satisfy Any
    Allow from all
</Directory>

How to use basic auth for single file in otherwise forbidden Apache directory?

2 Answers2