0

Essentially what I am trying to do is to limit directory indexing to authenticated users from a htpasswd file on my Apache server. Here is what I have so far.

AuthUserFile C:\XXXXXXXXX\htpasswd
AuthGroupFile /dev/null
AuthName "Password Protected!"
AuthType Basic
<Limit DirectoryIndex>
require valid-user
</Limit>

I have confirmed that this kind of authentication works for normal directory access or for files if I replace "DirectoryIndex" with "GET POST". I tried taking a guess by putting DirectoryIndex in there but it doesn't seem to work. Having googled this issue and looked at a number of other questions here on serverfault, I'm at a loss. If anyone knows how to do this, that would be lovely.

Thanks.

Emanuel Elliott
  • 103
  • 2
  • "limit directory indexing" - Are you referring to the document(s) that the `DirectoryIndex` directive refers to? Or to Apache generated directory-listings (an index of the directory being requested)? – MrWhite Dec 10 '19 at 13:34

1 Answers1

0

DirectoryIndex (part of mod_dir) sets the file to serve when the client requests a directory. So, to restrict access to this file, you need to use a <Files> (or <FilesMatch>) directive. (You can't reference whatever file(s) the DirectoryIndex directive refers to.)

For example, if your DirectoryIndex is set to index.html, then:

<Files "index.html">
    AuthUserFile C:\XXXXXXXXX\htpasswd
    AuthGroupFile /dev/null
    AuthName "Password Protected!"
    AuthType Basic
    Require valid-user
</Files>

If you have multiple possible DirectoryIndex documents then you can use a <FilesMatch> container instead that takes a regex as its argument. For example, if DirectoryIndex index.php index.html is set then:

<FilesMatch "^index\.(html|php)$">
    # etc.
</FilesMatch>

Or, by "directory indexing", are you referring to generated directory-listings (mod_autoindex)? But this has little to do with DirectoryIndex itself, except that (if enabled) the directory listing is only generated when the DirectoryIndex document does not exist.

In this case, to protect the directory-listing only (i.e bare directory) then you can also use a Files container, but specify an empty file. For example:

# Protect directory-listing only
<Files "">
    # etc.
</Files>

<Limit DirectoryIndex>

The Limit directive restricts the enclosed directives to the stated HTTP request method(s) (ie. GET, POST, etc.). DirectoryIndex is an Apache directive, not an HTTP request method, so this is invalid.

MrWhite
  • 11,643
  • 4
  • 25
  • 40
  • Your second solution is what I was trying for. Is there a way to limit it only to actual directory listings and not foo.bar/test/ where there is an index.xxx file? – Emanuel Elliott Dec 11 '19 at 01:49
  • I'm not sure exactly what you mean, but "limiting it only to actual directory listings" is what the 3rd code snippet above does. – MrWhite Dec 12 '19 at 11:05