Join Log in
Score:3
Black avatar Server

.htaccess - Exclude folder from basic auth protection

id flag
Black

I have a website where no one is allowed to enter without entering the basic auth credentials.

However, I need the media folder to be accessible by everyone, because we are using a third party extension which creates PDF's and we can only fully test them if the media is accessible.

The media folder is at /var/www/company/pub/media.

The domain (www.example.com) points to /var/www/company/pub, so the pub folder is the entry point.

This is my .htaccess attempt (/var/www/company/.htaccess):

RewriteEngine on
RewriteCond %{REQUEST_URI} !^/pub/
RewriteCond %{REQUEST_URI} !^/setup/
RewriteCond %{REQUEST_URI} !^/update/
RewriteCond %{REQUEST_URI} !^/dev/
RewriteRule .* /pub/$0 [L]
DirectoryIndex index.php

AuthType Basic
AuthName "Protected"
AuthUserFile "/var/www/company/.htpasswd"

# Exclude media folder from basic auth
SetEnvIf Request_URI "^/media/*" media

Order allow,deny
Require valid-user
Allow from env=media
Deny from env=!media
Satisfy any

But if I try to call http://www.example.com/media/someimage.jpg then I still get the basic auth login prompt.

Environment:

Apache 2.4.41 (Ubuntu)

1330
0 + 0
Score:5
avatar Server
in flag
Gerald Schneider

Place a .htaccess file in the media folder with AuthType None.

AuthType None
Require all granted
0 + 0
Black avatar
id flag
Black
Worked like a charm, thx!
0
Reply
Score:1
avatar Server
kz flag
MrWhite 
# Exclude media folder from basic auth
SetEnvIf Request_URI "^/media/*" media

Order allow,deny
Require valid-user
Allow from env=media
Deny from env=!media
Satisfy any

This would have worked, except the regex is wrong in the SetEnvIf directive, so the env var media is not set when requesting /media/someimage.jpg. You are missing a dot before the * quantifier, ie. ^/media/.*. However, you can just remove the trailing * altogether, ie. ^/media/, which is effectively the same (and more efficient).

The Deny from env=!media directive is superfluous.

So, the following should work:

# Exclude media folder from basic auth
SetEnvIf Request_URI "^/media/" media

Require valid-user
 
Order allow,deny
Allow from env=media
Satisfy Any

HOWEVER, this is using deprecated Apache 2.2 directives. On Apache 2.4 you can do the following instead:

# Exclude media folder from basic auth
SetEnvIf Request_URI "^/media/" media

Require valid-user
Require env media

The default container is <RequireAny> - so you don't need to include this. Although you can be explicit if you want:

<RequireAny>
    Require valid-user
    Require env media
</RequireAny>

Alternatively, you can surround the entire authorization block in an <If> expression. For example:

# Password protect everything except the "/media/" subdirectory
<If "%{REQUEST_URI} !~ m#^/media/#">
    AuthType Basic
    AuthName "Protected"
    AuthUserFile "/var/www/company/.htpasswd"
    Require valid-user
</If>

The operator !~ is a negated regular expression match.

0 + 0
Black avatar
id flag
Black
Nice, I tried it and everything works. I accept your answer instead, since it contains more helpful details and shows why my attempt failed.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.