Apache2: How do I restrict access to a directory, but allow access to one file within it?

Question

I've inherited a poorly designed web app, which has a certain file that needs to be publicly accessible, but that file is inside a directory which should not.

In other words, I need a way to block all files and sub-directories within a directory, but over-ride it for a single file.

I'm trying this:

# No one needs to access this directly
<Directory /var/www/DangerousDirectory/>
   Order Deny,allow
   Deny from all

   # But this file is OK:
   <Files /var/www/DangerousDirectory/SafeFile.html>
      Allow from all
   </Files>
</Directory>

But it's not working- it just blocks everything including the file I want to allow. Any suggestions?

Lekensteyn · Answer 1 · 2010-08-26T10:30:54.470

5

# No one needs to access this directly
<Directory /var/www/DangerousDirectory/>
   Order Deny,allow
   Deny from all
</Directory>
# But this file is OK:
<Files /var/www/DangerousDirectory/SafeFile.html>
   Order Deny,Allow
   Allow from all
</Files>

And if this directory is password-protected, add Satisfy any too.

edited Aug 26 '10 at 10:30

answered Aug 26 '10 at 09:43

Lekensteyn

6,445

score 3 · Accepted Answer · edited May 23 '17 at 12:41

3

There is an answer on StackOverflow that should answer this question, I think there is a missing Order in the nested Files directive?

https://stackoverflow.com/questions/6243677/apache-how-to-deny-directory-but-allow-one-file-in-that-dirctory

edited May 23 '17 at 12:41

Community

1

answered Apr 06 '12 at 13:08

Kyle

584

score 0 · Answer 3 · answered Jul 21 '14 at 10:51

A very late answer, but still perhaps an answer.

The tag is in the scope of the directory and should not have the full path. So it should read:

<Directory "/var/www/DangerousDirectory">
   Order Deny,allow
   Deny from all

   # But this file is OK:
   <Files "SafeFile.html">
      Allow from all
   </Files>
</Directory>

Be aware that this would allow any file called SafeFile.html in that directory-tree.

score 0 · Answer 4 · answered Jan 15 '19 at 18:08

To allow a specific file when access is restricted by HTTP password. Be careful, password protection is defined on filesystem basis and specific allowed files are defined by URI. Updated for Apache 2.4.

<Directory /path/to/directory/>
    AuthName SecureArea
    AuthType Basic
    AuthUserFile /path/to/passwd-file
    Require user my-user

    SetEnvIf Request_URI "path/to/uri-allowed-1.php" allowedURL
    SetEnvIf Request_URI "path/to/uri-allowed-2.php" allowedURL
    Require env allowedURL
</Directory>

Apache2: How do I restrict access to a directory, but allow access to one file within it?

4 Answers4