15

This is probably a simple problem, but I cant find the solution in the documentation.

I want to password protect my website using BASIC authentication. But I want a subdirectory to be non protected :

http://mysite.com/ -> BASIC protected
http://mysite.com/somedir -> BASIC protected
http://mysite.com/someotherdir -> BASIC protected
http://mysite.com/public -> not protected

I have no problem protecting all the site, but I dont know how I can "unprotect" one directory. The site is hosted on a shared host, so I only have access to .htaccess files to do the configuration.

Is there a directive to negate the authentication ?

Thanks for the help ...

Guillaume
  • 1,063
  • 5
  • 12
  • 24
  • 1
    This seems to be the most correct solution: https://stackoverflow.com/questions/2641646/how-to-accomplish-authtype-none-in-apache-2-2 – BryanK Mar 31 '17 at 19:16

4 Answers4

10

Shouldn't be a problem with .htaccess, depending on what the host has allowed.

You could try putting a .htaccess in the sub-folder with the following, although overrides will have to be enabled for the directories it's in.

 Allow From All
 Satisfy Any
Cylindric
  • 1,127
  • 5
  • 24
  • 45
  • 1
    The secret sauce here, IIRC, is to put the .htaccess at the root of your site, but have an entry in that .htaccess file like the one Cylindric talks about. – Paul Lathrop Jul 27 '09 at 16:39
  • And don't forget to add (or make sure there exists) an AllowOverride so the .htaccess will be used. – TCampbell Jul 27 '09 at 17:13
  • 1
    @Paul - I've deleted my answer, but AFAICR Cylindric's answer is currently wrong? A .htaccess file in a subdirectory cannot override one higher up. However the .htaccess file in the parent directory can also include controls (or indeed remove them) for subdirectories. – Alnitak Jul 27 '09 at 17:27
  • I tried both putting a directive in the root folder and in the folder I want to be public, but in both cases I get an HTTP 500. Any other ideas ? – Guillaume Jul 27 '09 at 20:47
  • 1
    You can't use in .htaccess, although you can use and – Alnitak Jul 27 '09 at 21:50
  • This won't work. and directives can't be used in .htaccess (although can). – CK. Aug 06 '09 at 22:26
  • Ok, so WHY is this even an accepted answer if it won't work??? – markus May 28 '14 at 11:12
  • Probably a copy'n'paste error on my part, and then bad testing on the questioner's part. I've removed the erroneous tags. – Cylindric May 29 '14 at 12:10
  • Yes, this works, weirdly enough, I still get the password dialog even though the page shows. I need to click the password dialog away though which is suboptimal. Any idea why that might happen? – markus May 30 '14 at 12:07
7

OK, for a path server.com/private/public:

server.com/private/.htaccess

AuthType Basic
AuthName "Private, keep out."
Require...

server.com/private/public/.htaccess

Allow From All
Satisfy Any

The key here is 'Satisfy Any' which ORs the requirements from upstream together. 'Satisfy All' is the default.

CK.
  • 1,163
  • 6
  • 10
1

I believe this might do it:

# put the global auth stuff here
...

# put the override here
<Location /public>
Allow from All
Satisfy Any
</Location>
Alnitak
  • 21,191
  • 3
  • 52
  • 82
  • It's never a good idea to use s for access control. It only controls access via a name, rather than the resource itself. Thus, anything that provides access to it via a different name (Alias, for example) has no access control applied to it. – CK. Jul 29 '09 at 13:09
  • 1
    @CK Actually you must use Location if the location in question is not a physical directory but merely an "virtual" directory in disguise by something like mod_rewrite. – Natalie Adams Nov 06 '10 at 17:00
1

I managed to solve this doing this:

<Directory "/path/to/maindirectory">
[... auth stuff ... ]
</Directory>

<Directory "/path/to/mysubdirectory">
 Allow from All
 Satisfy Any
</Directory>

Do NOT use Locations, because they're made to be case sensitive and they do not act on actual folder access, but just over the URL.

So, for instance, if I write

http:/mywebsite/STUFF

or

http://mywebsite/stuff

or

http://mywebsite/StUfF

it's different for Location control, even if the physical directory called is the same!!!

In short, you check access for directory "stuff" and I can get in writing it with different case.

Also, using .htaccess file in single directory with location control on others did not work to me.

Hope it helps.

xela92
  • 11
  • 1