I have an Apache 2.4 VirtualHost
whose access is restricted by a AuthType Basic
:
<VirtualHost ...>
DocumentRoot /var/www/www.example.com/public
<Directory /var/www/www.example.com/public>
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL "ldap://ldap.example.com/dc=example,dc=com?uid?sub"
AuthLDAPBindDN "user"
AuthLDAPBindPassword "secret"
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
</Directory>
</VirtualHost>
Using a .htaccess
file in /var/www/www.example.com/public
I can unprotect images, and other assets with:
# Allow assets without HTTP Auth
<FilesMatch "\.(gif|jpe?g|png|css|js|ico)$">
Satisfy Any
Allow from all
</FilesMatch>
This setup works: access to site is restricted, direct link to assets is not restricted.
Now I would that some very specific images keep their access restriction: say any file named foobar-.*\.jpg
.
I tried to add the following to my .htaccess
file:
# But do not allow theses JPG images
<FilesMatch "foobar-.*\.jpg$">
Require valid-user
Order allow,deny
Satisfy Any
</FilesMatch>
Which seems to work:
The /var/www/www.example.com/public/imgs/foo/foobar-baz.jpg
file exists and is correctly displayed at http://www.example.com/imgs/foo/foobar-baz.jpg on browser where user is HTTP-logged-in (otherwise they get a 401 Unauthorized).
Using a cURL command:
curl --user foobar:secret -D - -o /dev/null -s http://www.example.com/imgs/foo/foobar-baz.jpg
I get the following errors in my Apache's error.log
file:
[Fri Jun 24 13:36:41.989506 2016] [access_compat:error] [pid 26834] [client 1.2.3.4:35251] AH01797: client denied by server configuration: /var/www/www.example.com/public/imgs/foo/foobar-baz.jpg
access.log
contains:
1.2.3.4 - foobar [24/Jun/2016:13:36:41 +0200] "GET /imgs/foo/foobar-baz.jpg HTTP/1.0" 200 24652 "-" "curl/7.35.0"
Because of deployment issue I would like to keep access configuration in .htaccess
file.