Deny access to subdirectories in Apache 2.2 (linux)

Posted on 2009-04-16
Last Modified: 2013-12-16
Hi experts,
I'm trying to find a way to deny access to some subdirectories of the root site unless previously pass the access control.

This is what I have in mind:
DocumentRoot is /usr/local/apache2/htdocs/root
In the web root directory I have a login page that is checking users & passwords in a data base. Only if the information returned form the server is ok, the user will be able to get in the next subdirectory call "menu"  (/usr/local/apache2/htdocs/root/menu).
I already create the program for users authentication.
A user accessing from the browser is typing in the url http://webserver/login.html
What I'm trying to deny is the direct access to the subdirectory "menu" http://webserver/menu/menu.html without previously validate the password.
I read that it could be possible setting environments variables in the directories in the httpd.conf file¿?
Please note that I'm NOT trying to implement an access control using .htpasswd

Thank you for yours advices.

Question by:alcani
    LVL 43

    Accepted Solution

    > Please note that I'm NOT trying to implement an access control using .htpasswd
    Then apache will not help You.

    What You have to do, is to verify user with every script within protected directory.
    As for downloads, deny direct downloads with .htaccess (sic, htaccess required), and implement them with another script.

    Author Comment

    Do you  have any example? or a link where I can find this information more detailed?
    Thank you
    LVL 30

    Assisted Solution


    Author Comment

    Thank you for yours answers.
    I already used htaccess and I known how it works.
    Im looking for other thing, maybe is not possible but I will try to explain it in other terms&

    In the httpd.conf file, my directory will be like this
    <Directory /usr/local/apache2/htdocs/root/menu">
       Options ¿??
       Order deny,allow
       Deny from all      
       Allow from env=PASS_OK

    The access to the subdirectory menu would be forbidden, unless the environment variable will be set to ok.
    From de login page I'll get information in a hidden field in order to determine if the user-password is correct. If is incorrect, the user will be sent another time to login page. Other wise I would like set the variable PASS_OK for get in the subdirectory "menu".

    Is it possible?
    LVL 43

    Assisted Solution

    The problem is that someone has to set this env variable first - it could be the cgi/php script - hence it has to be run first - but apache denies the access :(
    So instead of env var You could verify if cookie/get/post variable is set - though it's not security (say security by obscurity).
    Unfortunately, if the auth isn't apache based, apache cannot verify if user is authenticated or not - and we back in the first line (the egg chicken problem).

    What could be implemented (it's idea only).
    Your login page sends out a cookie, so client will return it all subsequent requests, the mod_rewrite is capable of running subrequests passing the cookie (it has to be to apache unprotected folder) - the subrequest could then return whether user is authenticated or not.

    But I have never implemented such thing. Either You will examine it works by Yourself, or other expert will aid You with this.

    Author Closing Comment


    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Join & Write a Comment

    Upgrading Tomcat – There are a couple of methods to upgrade Tomcat is to use The Apache Installer is to download and unzip and run the services.bat remove|install Tomcat6 Because of the App that we are working with, we can only use Tomcat 6.…
    In Solr 4.0 it is possible to atomically (or partially) update individual fields in a document. This article will show the operations possible for atomic updating as well as setting up your Solr instance to be able to perform the actions. One major …
    Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
    Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now