3
Order Deny,Allow
AuthUserFile /var/www/subdirectory/.htpasswd
AuthName "Authorization Required"
AuthType Basic
require valid-user

^my .htaccess file.

However, the parent directory has a password.

I want this directory to ask only for one password (even though it asks for the second password, the second password can be left blank. Despite this, i want to remove the second password because it is annoying).

bcc32
  • 328
  • 1
  • 7
  • 17

2 Answers2

4

If you want the subdirectory to require the same password as the parent directory, you don't need the .htaccess at all in the subdirectory.

Or are you trying to use a different password in the subdirectory?

[Update:] In which case, you need to limit the parent's require to not include the subdirectory in question — through a FilesMatch directive, for instance. Keep your subdirectory's .htaccess the same, and modify the parent's to include something like:

<FilesMatch "\.(private|dirs|are|listed|here)">
    require valid-user
</FilesMatch>

(It seems that there's no way to negate a FilesMatch regex; but I might be wrong about that.)

Sam Wilson
  • 4,402
  • 4
  • 29
  • 30
  • 1
    Well, yes, but then you said that the second password could be blank, and that you want to remove it. It's early here! I got confused... Anyway, I've updated my answer. :-) – Sam Wilson Apr 05 '11 at 01:42
  • 1
    by the way...http://stackoverflow.com/questions/406230/regular-expression-to-match-string-not-containing-a-word – bcc32 Apr 05 '11 at 04:32
  • Yes, but I think apache's way of doing things doesn't allow that. At least, I remember having some issue with it once... (haven't got time now to check; I probably shouldn't go casting aspersions about it!). – Sam Wilson Apr 05 '11 at 06:34
  • `Files` and `FilesMatch` check against the basename so directories in the regex will never match. The only way to have .htaccess rules apply to a subfolder is to put an .htaccess file in that subfolder. Your example would match files with the extension .private, .dirs, .are, .listed, or .here which could result in some weird behavior if, for example, you tried to list your `js` or `css` directory. http://httpd.apache.org/docs/2.4/mod/core.html#filesmatch – None Oct 11 '17 at 14:05
2

.htaccess applies to all the files and subfolders. Your .htaccess file with the following tree structure would password protect dir1/index.html, dir1/subdir1/index.html, and dir1/subdir1/example.html.

- dir1
| - .htaccess
| - index.html
| - subdir1
  | - index.html
  | - example.html

To password protect only subdir1 move the .htaccess file into the subdirectory. With the following structure the protected files are dir1/subdir1/index.html and dir1/subdir1/example.html

- dir1
| - index.html
| - subdir1
  | - .htaccess
  | - index.html
  | - example.html

To password protect a directory except for a subdirectory an additional .htaccess file needs to be placed in the subdirectory to override the options of the parent .htaccess file.

- dir1
| - .htaccess
| - index.html
| - subdir1
  | - .htaccess
  | - index.html
  | - example.html

In dir1/subdir1/.htaccess:

Require all granted

Then dir1/index.html requires a password, but not the files in dir1/subdir1/. See https://httpd.apache.org/docs/2.4/howto/access.html for information on Require all granted.

To require one password for the parent folder and a different password for the child folder:

- dir1
| - .htaccess
| - index.html
| - subdir1
  | - .htaccess
  | - index.html
  | - example.html

In dir1/subdir1/.htaccess use a different AuthUserFile or require a different user/group/requirement:

# Use a different list of Users for this directory
AuthUserFile /var/.htpassrd_subdir1

# Or require a different user
#require user subdir1User

# Or use a different type of authentication altogether
#AuthUserFile /var/www/subdirectory/.htdigest
#AuthName "Subdir1-Realm"
#AuthType Digest
#require valid-user

The authentication cannot be nested. Adding auth to a subdirectory will override the authentication configuration on the parent directory. If both the parent and the child folder are password protected and someone visits a file in the child folder they are prompted for a single password; the password configured for the child folder.

None
  • 5,491
  • 1
  • 40
  • 51