How to remove .htaccess password protection from a subdirectory

Question

I have password protected my entire website using .htaccess but I would like to expose one of the sub directories so that it can be viewed without a password.

How can I disable htaccess password protection for a sub directory? Specifically what is the .htaccess syntax.

Here is my .htaccess file that is placed in the root of my ftp.

AuthName "Site Administratrion"
AuthUserFile /dir/.htpasswd
AuthGroupFile /dev/null

AuthName secure
AuthType Basic
require user username1
order allow,deny
allow from all

This might be better suited for serverfault. – beggs Sep 16 '09 at 06:58 — beggs, Sep 16 '09 at 06:58

score 165 · Accepted Answer · edited Mar 01 '19 at 10:45

165

You need to create a new .htaccess file in the required directory and include the Satisfy any directive in it like so, for up to Apache 2.3:

# allows any user to see this directory
Satisfy Any

The syntax changed in Apache 2.4, this has the same effect:

Require all granted

edited Mar 01 '19 at 10:45

the

21,007
11
68
101

answered Sep 16 '09 at 07:02

RageZ

26,800
12
67
76

7

I could only get this to work with `Allow from all` not `Satisfy Any`. – Jess Telford Oct 07 '11 at 06:02
@JessTelford good use of the code snippet. @RageZ +1 for answer that worked for me. Could you edit the answer to be super simple and post it using the code snippet method. Otherwise someone will have to think `thanks` – Jesse Burcsik Feb 13 '13 at 17:49
2

@JessTelford `Satisfy Any` is working and it was miss-spelled as `Satisify Any`. May be that is the reason it did not work for you. – Muneer May 11 '14 at 11:44
1

I needed to have single file unprotected (everything else protected), made same in section – Nick Aug 10 '14 at 09:49
This doesnt work for me - I still get the password modal asking for username and pwd.. Using firefox & windows 7... Anybody any idea? – ItsMeDom Nov 03 '14 at 01:46
@RageZ Thanks! It turns out my issue was just the server admin disabling htaccess overrides but this is still good to know. – dev_willis Feb 26 '15 at 15:13
@dave kewl glad you found the glitch! – RageZ Feb 27 '15 at 03:54
@dave, thanks for adding the 2.4 syntax. That's what I needed in moving this site to a new home. – Josiah Jul 10 '15 at 17:44
@RageZ I want to allow one twig file without .htaccess but problem is that, this twig file is also call many js and css , So In this case what to do. – Nullpointer Feb 18 '16 at 10:15
Neither "Satisfy Any" nor "Require all granted" is working for me on apache 2.2 – matteo May 30 '18 at 08:10

score 37 · Answer 2 · answered Aug 21 '11 at 15:42

Adding to RageZ's answer, I used this in the Server Directives:

<Directory /var/www/protected/>
     AuthType Basic
     AuthName "Production"
     AuthUserFile /path/to/.htpasswd
     Require valid-user
</Directory>

<Directory /var/www/protected/unprotected>
     Satisfy Any
</Directory>

Awesome. Thanks RageZ!

score 9 · Answer 3 · answered Jun 09 '14 at 08:36

9

Simply create a new .htaccess in the desired subdirectory with this directive:

Allow from all

You can restrict to your IP only with :

Allow from x.x.x.x

See : http://httpd.apache.org/docs/current/mod/mod_access_compat.html

answered Jun 09 '14 at 08:36

Paul Rad

4,820
1
22
23

It worked when I put "Require all granted" instead of "Allow from all" and "Satisfy Any". Those two didn't work for me. I'm on Apache 2.4. – endo64 Oct 06 '16 at 14:36

score 3 · Answer 4 · answered Dec 18 '18 at 16:17

Here is a way to allow subdirectory "foo" through the basic authentication from the main .htaccess file on a site:

AuthType Basic
AuthName "Password Required"
AuthUserFile /dir/.htpasswd
Require expr %{REQUEST_URI} =~ m#^/foo/#
Require valid-user

Note: This works in Apache 2.4. I have not confirmed for earlier versions.

score 1 · Answer 5 · answered Sep 16 '09 at 07:00

1

You need to add another .htaccess file to the subdirectory that overrides the authentication. .htaccess cascades upwards, i.e. it will look in the current folder, then go up a level and so on.

answered Sep 16 '09 at 07:00

Fenton

241,084
71
387
401

4

do you happen to know the syntax? I understand the concept but do not know how to implement it. – justinl Sep 16 '09 at 07:01
If you want to remove the current one and use no permissions, just replace it with an empty file named .htaccess – Gaʀʀʏ Sep 17 '12 at 02:59
3

@Garry that's not how the .htaccess cascading works, you have to explicitly override options. – William Denniss Oct 28 '13 at 02:40

score 0 · Answer 6 · answered Apr 09 '18 at 06:53

If you want to prevent any specific directoty from htaccess authentication then you can use following code in your htaccess file at top.

AuthType Basic AuthName "Enter Pass" AuthUserFile /home/public_html/.htpasswd /*PATH TO YOUR .htpasswd FILE*/ Require valid-user SetEnvIf Request_URI "(/DIRECTORY_NAME/)$" allow Order allow,deny Allow from env=allow

Also If you want to prevent multiple directories then add

SetEnvIf Request_URI "(/DIRECTORY_NAME/)$" allow

as many time as many directories, you want to remove from htaccess prevention.

How to remove .htaccess password protection from a subdirectory

6 Answers6

Linked