Discussion:
Protecting everything except /index.html
(too old to reply)
Swifty
2012-04-25 10:46:57 UTC
Permalink
I'm setting up a new server where I want everything to require
authorisation with the single exception of index.html in the
documentroot.

So http://example.com/ is open access, as is
http://example.com/index.html but anything else will require ID/pw.

I've set up all sorts of authorisation schemes in the past, but never
one quite like this.

Is there an obvious way to achieve this (or some sneaky trick; I'm
open to inventive mechanisms).

I doubt it will make any great difference, but I'm likely to force
everything to use https in the near future.
--
Steve Swift
http://www.swiftys.org.uk/swifty.html
http://www.ringers.org.uk
Andre
2012-04-25 14:11:27 UTC
Permalink
Post by Swifty
I'm setting up a new server where I want everything to require
authorisation with the single exception of index.html in the
documentroot.
So http://example.com/ is open access, as is
http://example.com/index.html but anything else will require ID/pw.
I've set up all sorts of authorisation schemes in the past, but never
one quite like this.
Is there an obvious way to achieve this (or some sneaky trick; I'm
open to inventive mechanisms).
I doubt it will make any great difference, but I'm likely to force
everything to use https in the near future.
The only thing I could think ( for the moment ) is, have everything in
another directory ( or in the level under your DocumentRoot ) and
require authentiction for every other directories.
Your index.html could use HREF to point where it's needed.
André
Swifty
2012-04-26 13:29:23 UTC
Permalink
Post by Andre
The only thing I could think ( for the moment ) is, have everything in
another directory ( or in the level under your DocumentRoot ) and
require authentiction for every other directories.
That's going to be my fallback position. It may even end up as my
preferred alternative, as the server's main purpose is to allow users
to host their own sites via the userdir mechanism.

I'll be the only person with files in the document root; everything
else will be under /home/[userid]/public_html/

However, now I've got this "How would I do that?" question stuck in my
brain, I'm going to carry on trying to find a technical solution.
--
Steve Swift
http://www.swiftys.org.uk/swifty.html
http://www.ringers.org.uk
BootNic
2012-04-28 02:50:47 UTC
Permalink
Post by Swifty
I'm setting up a new server where I want everything to require
authorisation with the single exception of index.html in the
documentroot.
So http://example.com/ is open access, as is
http://example.com/index.html but anything else will require
ID/pw.
I've set up all sorts of authorisation schemes in the past, but
never one quite like this.
Is there an obvious way to achieve this (or some sneaky trick;
I'm open to inventive mechanisms).
I doubt it will make any great difference, but I'm likely to
force everything to use https in the near future.
For testing purposes I use two configuration files so I don't have to restart
apache with every change.

1. .htaccess

2. .htaccessSSL

.htaccess for port 80

.htaccessSSL for port 443

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
AccessFileName .htaccessSSL
### more configuration directives
</VirtualHost>
</IfModule>

.htaccess:

RewriteEngine on
### no authentication required for index
### allow it to be served without ssl
### everything other then index redirected to ssl
RewriteCond %{REQUEST_URI} !/movies/(index\.(php|htm(l)?))?$ [NC]
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
#########################

.htaccessSSL:

AuthName "Movies"
AuthType Basic
AuthUserFile /var/www/.applecart

<Files "*">
SSLOptions StrictRequire
SSLRequireSSL
require valid-user
</Files>

<FilesMatch "index\.(php|htm(l)?)">
Allow from all
Satisfy any
</FilesMatch>
--
BootNic Fri Apr 27, 2012 10:50 pm
It's not that some people have willpower and some don't. It's that some people
are ready to change and others are not.
*James Gordon*
Continue reading on narkive:
Loading...