使用密码保护 AutoIndex,但不保护带有 .htaccess 的静态文件
我的网络服务器上有可公开访问的文件。我想启用自动索引(选项+索引),但我需要密码才能查看这些列表。我设置身份验证没有问题,但公共文件和 DirectoryIndex 文件存在复杂性,因为如果有人还要求提供目录,并且有 DirectoryIndex 文件,则他们不必为此输入密码。出于安全原因,只有自动索引需要密码。
这是我想到的:
Options +Indexes
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} -d
RewriteCond %{REQUEST_FILENAME}index.php -f
RewriteRule ^.*$ %{REQUEST_URI}index.php [R,NE,L]
RewriteCond %{REQUEST_FILENAME} -d
RewriteCond %{REQUEST_FILENAME}index.html -f
RewriteRule ^.*$ %{REQUEST_URI}index.html [R,NE,L]
RewriteCond %{REQUEST_FILENAME} -d
RewriteCond %{REQUEST_FILENAME}index.htm -f
RewriteRule ^.*$ %{REQUEST_URI}index.htm [R,NE,L]
<FilesMatch "^$">
AuthName "My Auth Name"
AuthType Basic
AuthUserFile /path/to/my/.htpasswd
Require valid-user
</FilesMatch>
FilesMatch 位工作正常。任何对目录的请求都需要登录,但普通文件会通过。这是简单的部分,困难的部分是在不登录的情况下渲染 DirectoryIndexes。顶部的重写是我在请求身份验证之前尝试重定向请求的失败尝试,但没有骰子,无论如何,它都会首先请求身份验证什么。
我已经对此进行了大约 6 个小时的研究,此时我即将放弃。任何帮助将不胜感激。
编辑:这是一个示例目录结构。
/images/blah.jpg <- does not require a password
/images/ <- requires a password to view listing
/index.html <- does not require a password
/ <- does not require a password because a DirectoryIndex file exists (index.html)
I have publicly accessible files on my webserver. I'd like to enable AutoIndexing (Options +Indexes) but I'd like to require a password in order to view these listings. I have no problem setting up the Auth but there are complications with the public files and the DirectoryIndex files in that if someone also asks for a directory, and there is an DirectoryIndex file, they shouldn't have to enter a password for this. Only the AutoIndexing should require a password for security reasons.
Here is what I came up with:
Options +Indexes
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} -d
RewriteCond %{REQUEST_FILENAME}index.php -f
RewriteRule ^.*$ %{REQUEST_URI}index.php [R,NE,L]
RewriteCond %{REQUEST_FILENAME} -d
RewriteCond %{REQUEST_FILENAME}index.html -f
RewriteRule ^.*$ %{REQUEST_URI}index.html [R,NE,L]
RewriteCond %{REQUEST_FILENAME} -d
RewriteCond %{REQUEST_FILENAME}index.htm -f
RewriteRule ^.*$ %{REQUEST_URI}index.htm [R,NE,L]
<FilesMatch "^$">
AuthName "My Auth Name"
AuthType Basic
AuthUserFile /path/to/my/.htpasswd
Require valid-user
</FilesMatch>
The FilesMatch bit works fine. Any request for a directory is asked to log in but normal files pass through. That's the easy bit, the hard part is getting the DirectoryIndexes to render without logging in. The rewrite at the top was my failed attempt to redirect the request before it asked for the auth, but no dice, it asks for the auth first no matter what.
I've done about 6 hours of research on this and at this point I'm about to give up. Any help would be appreciated.
Edit: here is an example directory structure.
/images/blah.jpg <- does not require a password
/images/ <- requires a password to view listing
/index.html <- does not require a password
/ <- does not require a password because a DirectoryIndex file exists (index.html)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
只需删除
编辑 为什么不为那些您想要允许的目录启用索引呢?
Just remove the
<FilesMatch>block to apply it on all requests and not just those requesting directories.Edit Why don’t you just enable indexing for those directories you want to allow it for?
我知道这是一个坟墓,但我希望它可以帮助任何在谷歌上搜索的人(比如我自己——我对所有这些 htaccess 东西都是全新的)。
我想做一些类似的事情,尽管我认为更简单 - 我想在访问目录时继续使用 Apache autoindex,但对其进行密码保护(而不是为了我自己的利益而完全禁用它) - 但同时,如果直接链接,则可以自由访问任何文件,因此人们无需用户名和密码即可访问它们。
互联网上广泛展示的基本“目录密码”技巧是这样的:
限制 require 属性范围的简单添加实现了我所追求的目标:
如果我尝试访问没有索引文件的目录(因此自动索引),我有输入用户名和密码。
如果我尝试访问带有索引文件的目录,它会正常加载 - 不需要 u/p。
如果我尝试直接访问文件,它会正常加载,如上所述,不需要 u/p。
正如预期的那样,它同样会对所有子文件夹产生影响。
根据我迄今为止的测试,似乎表现得如此并且工作得很好。
I know this is a gravedig but I hope it might help anyone Googling out there (such as myself -- I'm brand new to all this htaccess stuff).
I wanted to do something similar, albeit simpler I think - I wanted to continue use of the Apache autoindex when accessing a directory, but have it password protected (rather than disable it altogether, for my own benefit) - yet at the same time, have any files freely accessible if linked directly, so people can access them without the need for a username and password.
The fundamental "Password a directory" trick widely shown around the internet is this:
A simple addition limiting the scope of the require attribute achieved what I was after:
If I attempt to access a directory with no index file (thus autoindexed), I have to input a username and password.
If I attempt to access a directory with a index file, it loads up as normal - no u/p required.
If I attempt to access a file directly, it loads up as normal, as above, no u/p required.
As probably expected, it impacts likewise on all subfolders.
Seems to behave this way and work just fine based on my testing thus far.