exclude directory in apache

How to Exclude Directory from Auth in Apache

Apache server allows you to setup basic authentication for folders and directories on your website. But sometimes you may need to exclude certain folders and directories from authentication. Here is how to exclude directory from auth in Apache server.


How to Exclude Directory from Auth in Apache

Here are the steps to exclude directory from Auth in Apache server. There are two ways to do this – using Virtual Host and using .htaccess. We will look at both these methods. We have assumed that your .htpasswd file is located at /etc/apache2/.htpasswd


1. Exclude Folder Using Virtual Host

Let us say virtual host configuration file for your domain example.com is located at /etc/apache2/sites-enabled/example.conf. Open it using text editor.

$ sudo vi /etc/apache2/sites-enabled/example.conf

If you don’t have a virtual host configuration file, you can also use the default virtual host configuration file.

$ sudo vi /etc/apache2/sites-enabled/000-default.conf

Let us say you have the following VirtualHost tag in it. Following is the default configuration used by most websites with document root at /var/www/html.


<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
...
</VirtualHost>

Also read : How to Exclude Folder from Rewrite Rules in Apache

Let us say you want to password protect folder /var/www/html/folder1, then add the following Directory tag to your Virtual host file

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    <Directory "/var/www/html/folder1">
        AuthType Basic
        AuthName "Restricted Content"
        AuthUserFile /etc/apache2/.htpasswd
        Require valid-user
    </Directory>
</VirtualHost>

Let us say you want to exclude folder /var/www/html/folder1/folder2, in that case add another Directory tag in your Virtual Host file for this folder.

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    <Directory "/var/www/html/folder1">
        AuthType Basic
        AuthName "Restricted Content"
        AuthUserFile /etc/apache2/.htpasswd
        Require valid-user
    </Directory>

    <Directory "/var/www/html/folder1/folder2">
        Order Deny,Allow
        Allow from all
        Satisfy any
    </Directory>
</VirtualHost>

In the above configuration, the first directory tag enables password authentication for /var/www/html/folder1 and the second directory tag allows access from all to folder /var/www/html/folder2. Please update the folder locations above as per your requirement.

Also read : How to Check Number of Concurrent Connections in Apache


2. Exclude folder using .htaccess

You can also exclude directory using .htaccess file. Open .htaccess file in a text editor

$ sudo vi /var/www/html/.htaccess

Add the following lines to it.

AuthType Basic 
AuthName "Please login." 
AuthUserFile "/etc/apache2/.htpasswd" 

Require expr %{REQUEST_URI} =~ m#^/folder1/folder2/.*# 
Require valid-user

The first 3 lines above enable password authentication for your website while line 4 adds a condition that all URLs which require authentication must not begin with /folder1/folder2 thereby excluding /var/www/html/folder1/folder2 directory. If you want to enable password authentication for a specific folder (e.g. /var/www/html/folder1) then add the above lines in the .htaccess file in that directory (e.g. /var/www/html/folder1/.htaccess).

If you use Apache <2.4, you can also use SetEnvIfNoCase directive to identify excluded URLs and allow access using the following code.

SetEnvIfNoCase Request_URI "^/folder1/folder2" noauth
AuthType Basic
AuthName "Identify yourself"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user

Order Deny,Allow
Deny from all
Allow from env=noauth
Satisfy any

In this case, we tag all URLs starting with /folder1/folder2 as noauth, and allow access to those URLs without password authentication.

In this article, we have learnt how to exclude folders & directories from password authentication in Apache server.

Also read : How to Generate Subdomains on the fly in PHP


Leave a Reply

Your email address will not be published. Required fields are marked *