Apache2: How do I restrict access to a directory, but allow access to one file within it?

Posted on

Apache2: How do I restrict access to a directory, but allow access to one file within it? – Problems with loading a website are often blamed on the Internet connection, but even the most perfectly set up network cannot help if there is no service to reply at your destination. One of the most popular HTTP servers used for this task is Apache2. Much of Apache’s popularity can be attributed to its easy installation and use, but never the less it is possible to run into problems with even the easiest of the software. If you’ve encountered an issue loading your web page, follow these simple troubleshooting methods outlined in this guide to attempt to get your web server back up and working again. Below are some tips in manage your apache2 server when you find problem about apache-2.2, directory, deny, , .

I’ve inherited a poorly designed web app, which has a certain file that needs to be publicly accessible, but that file is inside a directory which should not.

In other words, I need a way to block all files and sub-directories within a directory, but over-ride it for a single file.

I’m trying this:

# No one needs to access this directly
<Directory /var/www/DangerousDirectory/>
   Order Deny,allow
   Deny from all

   # But this file is OK:
   <Files /var/www/DangerousDirectory/SafeFile.html>
      Allow from all
   </Files>
</Directory>

But it’s not working- it just blocks everything including the file I want to allow. Any suggestions?

There is an answer on StackOverflow that should answer this question, I think there is a missing Order in the nested Files directive?

https://stackoverflow.com/questions/6243677/apache-how-to-deny-directory-but-allow-one-file-in-that-dirctory

# No one needs to access this directly
<Directory /var/www/DangerousDirectory/>
   Order Deny,allow
   Deny from all
</Directory>
# But this file is OK:
<Files /var/www/DangerousDirectory/SafeFile.html>
   Order Deny,Allow
   Allow from all
</Files>

And if this directory is password-protected, add Satisfy any too.

A very late answer, but still perhaps an answer.

The tag is in the scope of the directory and should not have the full path. So it should read:

<Directory "/var/www/DangerousDirectory">
   Order Deny,allow
   Deny from all

   # But this file is OK:
   <Files "SafeFile.html">
      Allow from all
   </Files>
</Directory>

Be aware that this would allow any file called SafeFile.html in that directory-tree.

To allow a specific file when access is restricted by HTTP password. Be careful, password protection is defined on filesystem basis and specific allowed files are defined by URI. Updated for Apache 2.4.

<Directory /path/to/directory/>
    AuthName SecureArea
    AuthType Basic
    AuthUserFile /path/to/passwd-file
    Require user my-user

    SetEnvIf Request_URI "path/to/uri-allowed-1.php" allowedURL
    SetEnvIf Request_URI "path/to/uri-allowed-2.php" allowedURL
    Require env allowedURL
</Directory>

Leave a Reply

Your email address will not be published.