Apache - How to deny directory but allow one file in that directory

Question

I try to configure my Apache .conf file to deny listing from a certain category, but I want to allow a specific file inside this category. It appears that the Directory rule is "stronger" than the Files rule, so when using both - I can't access that certain file.

This is what I try:

<Directory /var/www/denied_directory>
     order deny,allow
     Deny From All
</Directory>

<Files safefile.php>
    Order Allow,Deny
    Allow from All
</Files>

score 23 · Answer 1 · answered Jun 05 '11 at 15:18

23

It works perfectly if it is configured properly:

   <Directory /var/www/denied_directory>
        Order allow,deny
        <Files test.php>
           Order deny,allow
        </Files>
   </Directory>

answered Jun 05 '11 at 15:18

akond

15,865
4
35
55

2

Same here. 403 Forbidden. Why's this with 20 +votes? – Khom Nazid Mar 19 '18 at 15:49
Doesn't this need a `Deny from all` line inside the directory directive and the `Allow from all` line inside the Files directive??? – RufusVS Mar 08 '19 at 17:15

score 14 · Answer 2 · answered Jul 20 '14 at 16:34

In Apache 2.4, with an additional test on an environment variable for good measure:

See also: Require Directive

<Directory "/wikis/foswiki">

    Require all denied

    # Allow access to toplevel files ending in .html (in particular index.html) only 
    # (comment out if you don't care for this)

    <Files ~ "\.html$">

       <RequireAll>
          Require all granted
          Require not env blockAccess
       </RequireAll>

    </Files>

</Directory>

score 4 · Answer 3 · answered Jun 05 '11 at 15:22

4

put your files directive inside your directory directive.

answered Jun 05 '11 at 15:22

David Chan

7,347
1
28
49

score 2 · Answer 4 · answered Jan 15 '19 at 18:06

To allow a specific file when access is restricted by HTTP password. Be careful, password protection is defined on filesystem basis and specific allowed files are defined by URI. Updated for Apache 2.4.

<Directory /path/to/directory/>
    AuthName SecureArea
    AuthType Basic
    AuthUserFile /path/to/passwd-file
    Require user my-user

    SetEnvIf Request_URI "path/to/uri-allowed-1.php" allowedURL
    SetEnvIf Request_URI "path/to/uri-allowed-2.php" allowedURL
    Require env allowedURL
</Directory>

RufusVS · Answer 5 · 2019-08-02T06:23:47.703

There is a missing line in @acond's answer. I think it needs Allow:

<Directory /var/www/denied_directory>
     order deny,allow
     Deny from All
    <Files safefile.php>
        order deny,allow
        Allow from All
    </Files>
</Directory>

Since there is only one rule in each directive, I suspect the order lines may be irrelevant. Although maybe the outermost one is required, because there is more than one rule nested. (I'm new to apache configuration)

Vahid · Answer 6 · 2019-12-25T11:06:16.700

1

Create an .htaccess file in the directory (folder) and use the block below:

order deny,allow
deny from all

<Files safefile.php>
   allow from all
</Files>

This will allow ../safefile.php file but ../.
If you want to allow ../ (for instance you need to have ../index.php), then you should do this:

order deny,allow
deny from all

<FilesMatch ^(index\.php)?$>
    allow from all
</FilesMatch>

edited Dec 25 '19 at 11:06

answered Dec 25 '19 at 10:49

Vahid

3,384
2
35
69

Are these directives still valid for Apache 2.4? I get internal server error when I use these – taimur alam Jun 29 '21 at 06:09
@taimuralam, I've tested these on Apache 2.2. I'm not sure about 2.4. – Vahid Jun 29 '21 at 13:39

Apache - How to deny directory but allow one file in that directory

6 Answers6

Linked