Password Protecting Web Directories and Files

Question

A user enters my website and arrives at the home page, he/she should always and only be at home page. All other files are scripts that are run by the homepage but the user should never navigate to them. So here's my directory layout:

They will arrive at Front.php and should always stay at Front. So I created an htaccess file that has this code:

DirectoryIndex Front.php index.html
AuthType Basic
AuthName "Login"
AuthUserFile /disks/*/*/*/.htpasswd
Require valid-user

Right now, EVERYTHING requires authentication. But I want everything except Front.php to require authentication. How can I exclude Front.php from the authentication?

Also, will this authentication prevent the scripts from running or does it just prevent the user from navigating TO the file via url?

Answer 1

Right now, EVERYTHING requires authentication. But I want everything except Front.php to require authentication. How can I exclude Front.php from the authentication?

Try:

SetEnvIfNoCase Request_URI ^/Front.php norequire_auth=true

# Auth stuff
AuthType Basic
AuthName "Login"
AuthUserFile /disks/*/*/*/.htpasswd

# Setup a deny/allow
Order Deny,Allow
# Deny from everyone
Deny from all
# except if either of these are satisfied
Satisfy any
# 1. a valid authenticated user
Require valid-user
# or 2. the "require_auth" var is set
Allow from env=norequire_auth

This uses the Satisfy directive and sets it to any , meaning either the Require valid-user or the Allow is good enough. The variable norequire_auth only gets set when the URI is /Front.php . You can add additional whitelisted URI's if you want by including additional SetEnvIfNoCase directives.

Also, will this authentication prevent the scripts from running or does it just prevent the user from navigating TO the file via url?

It won't prevent the scripts from running, if you include them via a include or require . But if you directly link to them from Front.php 's HTML content, the login dialog will pop up for Front.php.

Answer 2

You say you don't want to be able to enter other scripts, but you add authentication to it.

If you don't want to execute those scripts directly, it's better to move them out of the public_html folder, so they cannot be reached from outside at all. You will still be able to include/require them in front.php.

Admin scripts can easily be moved to a subdirectory on which you can add authentication from .htaccess. If you want to add authentication to some files, but not all, you can also choose to send the required headers from the PHP scripts.

You often see a check like this at the start of a file:

defined('MYAPPDEFINE') || die('No direct access allowed');

In the entry page (index.php, front.php, whatever), you can add this line:

define('MYAPPDEFINE', 'Whatever value');

This way, every file that is called directly will die and terminate immediately, but when it is included from front.php, the check succeeds and the file is included.

Answer 3

Use this ruleset:

<Filesmatch "^((?!Front\.php).)*$">
AuthType Basic
AuthName "Login"
AuthUserFile /disks/*/*/*/.htpasswd
Require valid-user
</Filesmatch>

<Files "Front.php">
allow from all
</Files>

Answer 4

Use this .htaccess content to prevent people from requesting anything but front.php:

RewriteEngine On

RewriteCond %{THE_REQUEST} !front.php [NC]
RewriteRule .* - [F,L]

Now only fron.php will be available to anyone accessing your apache.

BTW - as far as I know - you can force Apache to authenticate anything in particular directory but not not single files.