Spring Sale! Save 30% on all books w/ code: PLANET24
Web Dev + WordPress + Security

Stupid htaccess Trick: Enable File or Directory Access to Your Password-Protected Site

In this brief tutorial, we are going to enable users to access any file or directory of a site that is password-protected via htaccess. There are many reasons for wanting to employ this technique, including:

  • Share public resources from an otherwise private site
  • Enable visitors to access content during site maintenance
  • Testing and formatting of layout and design during development

As a webmaster, I have used this technique on several occasions. This trick works great for allowing access to any number of files, directories, and/or combination of both. We will begin with a generalized example, proceed with an explanatory discussion, and wrap things up with a couple of useful modifications.

A Generalized Example

Here is the basic htaccess code enabling users to access a specific directory and file on your domain:

# password protection allowing directory and file access
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /home/path/.htpasswd
AuthGroupFile /dev/null 
Require valid-user
SetEnvIf Request_URI "(path/to/directory/)$" allow
SetEnvIf Request_URI "(path/to/file\.php)$"  allow
Order allow,deny
Allow from env=allow
Satisfy any

To use this tasty little nugget, copy & paste into your site’s root (or target directory) htaccess file and edit the following parameters:

  • The phrase “Restricted Area” will be displayed on the password-prompt dialogue box — edit accordingly.
  • Edit the AuthUserFile path to match that of your htaccess password file (e.g., “/home/path/.htpasswd”).
  • Edit the first Request_URI path to match that of your target directory, and/or the second Request_URI path to match that of your target file (delete either one if not needed).

Afterwards, ensure that everything is functioning properly by attempting to access both your password-protected content and newly accessible directory and/or file. To reassure yourself, try using a few free proxies (Google: “free proxy”) to access your various resources.

Discussion

So, how exactly does this fine slice of htaccess code operate? Let’s break it on down..

AuthType Basic
This line specifies the authorization type, enabling Apache to run the correct function. In this case, and in 99% of the cases I have seen, the authorization type is “Basic”.
AuthName "Restricted Area"
Here we are specifying the message that will be displayed with the password-prompt dialogue box. This is a great place to inform visitors of any publicly available content. For example, you could display something like: “Private Site – Public content available at http://domain.tld/content/”
AuthUserFile /home/path/.htpasswd
In this line, we are specifying the location of the user authentication file. This file should not be available via the Internet (i.e., place in a directory above public_html) because it contains the password verification.
AuthGroupFile /dev/null
Here we are specifying the location of the group authorization file, if any. In this example, because we are not authorizing any groups, we specify a “null” value.
Require valid-user
This line instructs Apache to implement the password protection, essentially saying, “require a valid password” before allowing access.
SetEnvIf Request_URI "(path/to/directory/)$" allow
In this line, we are setting the specified URL request as an allow variable. This variable will be checked later in the script. This line essentially says, “associate the specified URL (i.e., path/to/directory/) with an allow variable.”
SetEnvIf Request_URI "(path/to/file\.php)$" allow
As in the previous line, here we are setting the specified URL request as an allow variable. This variable will be checked later in the script. This line essentially says, “associate the specified URL (i.e., path/to/file\.php) with an allow variable.”
Order allow,deny
Here we designate the order in which access parameters will be evaluated. In this case, we want to consider allowed access before denied access. Especially in this example, the order of these two parameters is critical.
Allow from env=allow
In this line, we are telling Apache to allow access to any resource associated with an allow variable.
Satisfy any
Finally, we wrap things up by instructing Apache to apply the directives for any condition in which the specified parameters have been satisfied ;)

Some tweaks and modifications..

Let’s take a look at a couple of potentially useful modifications..

Allow access to multiple site resources

To allow public user access to more resources, set additional allow variables:

# password protection allowing multiple resources
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /home/path/.htpasswd
AuthGroupFile /dev/null 
Require valid-user
# allow public access to the following resources
SetEnvIf Request_URI "(path/to/directory_01/)$"         allow
SetEnvIf Request_URI "(path/to/directory_02/)$"         allow
SetEnvIf Request_URI "(path/to/file\.php)$"             allow
SetEnvIf Request_URI "(path/to/file\.html)$"            allow
SetEnvIf Request_URI "(path/to/another/resource/)$"     allow
SetEnvIf Request_URI "(path/to/yet/another/resource/)$" allow
Order allow,deny
Allow from env=allow
Satisfy any

Of course, you will want to customize this code to reflect the various resources for which you would like to allow public access.

Allow webmaster and other sites open access to entire site

Here’s the scene: you have the entire site password-protected via htaccess. You also have allowed open, public access to various site resources, directories, etc. Now, what if you also want to provide unrestricted access to the entire domain for certain, key individuals and sites? Easy, just use this lil’ chunk of htaccess goodness:

# password protection allowing multiple resources
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /home/path/.htpasswd
AuthGroupFile /dev/null 
Require valid-user
# allow public access to the following resources
SetEnvIf Request_URI "(path/to/directory_01/)$"         allow
SetEnvIf Request_URI "(path/to/directory_02/)$"         allow
SetEnvIf Request_URI "(path/to/file\.php)$"             allow
SetEnvIf Request_URI "(path/to/file\.html)$"            allow
SetEnvIf Request_URI "(path/to/another/resource/)$"     allow
SetEnvIf Request_URI "(path/to/yet/another/resource/)$" allow
Order allow,deny
Allow from env=allow
# allow open access to entire site for select ips and sites
Allow from 777.777.77.7
Allow from 888.888.88.8
Allow from 999.999.99.9
Allow from domains.tld
Allow from website.tld
Allow from example.tld
Satisfy any

To use this code, replace/edit each “Allow from …” line to reflect either the IP address or URL of any sites for which you would like to allow open, unrestricted access. For example, you may want to allow the site administrator(s) open access, along with perhaps a few key validation sites. This is the stuff that web-development dreams are made of!!

Well, that does it for this post. A big thank you goes out to our friend Dave Atkins for inquiring about this technique. And, as always, please share your comments, criticisms, and suggestions with the rest of us ;)

Update

The original version of this article presented a method for allowing open feed access at password-protected sites. Unfortunately, the code did not work as intended thanks to Apache’s virtually complete lack of support for query strings. Needless to say, this article has been rewritten to demonstrate a generalized technique for enabling access to files and directories.

Peace!

About the Author
Jeff Starr = Fullstack Developer. Book Author. Teacher. Human Being.
.htaccess made easy: Improve site performance and security.

20 responses to “Stupid htaccess Trick: Enable File or Directory Access to Your Password-Protected Site”

  1. Can this code be modified for multiple username/passwords to each be directed to a specific directory. I’m looking to use only 2 username/passwords. User1 will be directed to www.domain.com/user1/ and User2 will be directed to www.domain.com/user2/

  2. Perishable 2008/03/03 3:56 pm

    This code is designed to operate on a per-directory basis. Upon attempted access, the user is prompted to enter credentials, which, if verified, will enable access to the resource (file or directory). The directives function as an intermediary security checkpoint and do not redirect unless authentication has failed. I.E., such redirection is possible, but is not included in the script.

  3. Where you say “either the IP address or URL” for the Allow directive, can a URL include subdirectories? E.g.

    Allow from mysite.com/authenticated/

    Thanks.

  4. Perishable 2008/06/14 8:11 am

    Hi Andrew,
    Yes, as far as I know. I haven’t tested it myself, so I would be interested in your findings.
    Regards,
    Jeff

  5. Unfortunately, it does not work for subdirectories for me. e.g Request_URI "(path/to/directory_01/)$" works only for the path/to/directory_01/, not path/to/directory_01/sub1/, path/to/directory_01/sub2/, path/to/directory_01/sub3/, etc.

    Any idea how this could be modified to include all subdirectories of a particular path?

  6. I worked it out, just add Request_URI "(path/to/directory_01/.*/)$"

    the /.*/ pattern matches to all subdirectories of path/to/directory_01.

    Thanks for the great article, saved me a lot of time.

  7. Jeff Starr 2009/05/27 8:55 am

    @Pete: Excellent, glad you worked it out. I was going to mention the fact that the SetEnvIf directives employ regular expressions (which include wildcards) for the directory/file target, but you beat me to the punch! Thanks for posting the follow-up solution as well — it will help others, I’m sure. Cheers :)

  8. hmm.. i am having problems. I always get the login and password box. Basically i want to have a landing page (index.html and it uses files from webimages and lists folder) to show to the public, and password protect everything else.. here is my code:

    AuthType Basic
    AuthName "Restricted Area"
    AuthUserFile /home/altonlan/.htpasswd
    AuthGroupFile /dev/null
    Require valid-user

    SetenvIf Request_URI "(lists/.*/)$" allowit
    SetenvIf Request_URI "(webimages/.*/)$" allowit
    SetenvIf Request_URI "(index.html)$" allowit

    Order allow,deny
    Allow from env=allowit
    Satisfy any

    Anything i am doing wrong?
    Thanks guys!

  9. Hi alex, not sure what the issue might be, but I recently posted lots of useful password-protection information.

    Hopefully something will click!

  10. Thanks, got it working, the problem was that if you have images or files inside css those need to be added to the allow list as well.

  11. Jeff Starr 2010/03/01 4:21 pm

    Awesome, alex – good to hear you got it sorted. Thanks for posting the followup info.

  12. When I add the ‘ satisfy all’ it allows access to anyone therefor stripping my site of ALL security.

    DODGY

Comments are closed for this post. Something to add? Let me know.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
Banhammer: Protect your WordPress site against threats.
Thoughts
I live right next door to the absolute loudest car in town. And the owner loves to drive it.
8G Firewall now out of beta testing, ready for use on production sites.
It's all about that ad revenue baby.
Note to self: encrypting 500 GB of data on my iMac takes around 8 hours.
Getting back into things after a bit of a break. Currently 7° F outside. Chillz.
2024 is going to make 2020 look like a vacation. Prepare accordingly.
First snow of the year :)
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.