[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Deny access to subdirectories in Apache 2.2 (linux)

Posted on 2009-04-16
Medium Priority
Last Modified: 2013-12-16
Hi experts,
I'm trying to find a way to deny access to some subdirectories of the root site unless previously pass the access control.

This is what I have in mind:
DocumentRoot is /usr/local/apache2/htdocs/root
In the web root directory I have a login page that is checking users & passwords in a data base. Only if the information returned form the server is ok, the user will be able to get in the next subdirectory call "menu"  (/usr/local/apache2/htdocs/root/menu).
I already create the program for users authentication.
A user accessing from the browser is typing in the url http://webserver/login.html
What I'm trying to deny is the direct access to the subdirectory "menu" http://webserver/menu/menu.html without previously validate the password.
I read that it could be possible setting environments variables in the directories in the httpd.conf file¿?
Please note that I'm NOT trying to implement an access control using .htpasswd

Thank you for yours advices.

Question by:alcani
  • 3
  • 2
LVL 43

Accepted Solution

ravenpl earned 999 total points
ID: 24165071
> Please note that I'm NOT trying to implement an access control using .htpasswd
Then apache will not help You.

What You have to do, is to verify user with every script within protected directory.
As for downloads, deny direct downloads with .htaccess (sic, htaccess required), and implement them with another script.

Author Comment

ID: 24168634
Do you  have any example? or a link where I can find this information more detailed?
Thank you
LVL 30

Assisted Solution

IanTh earned 501 total points
ID: 24168699
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments


Author Comment

ID: 24170080
Thank you for yours answers.
I already used htaccess and I known how it works.
Im looking for other thing, maybe is not possible but I will try to explain it in other terms&

In the httpd.conf file, my directory will be like this
<Directory /usr/local/apache2/htdocs/root/menu">
   Options ¿??
   Order deny,allow
   Deny from all      
   Allow from env=PASS_OK

The access to the subdirectory menu would be forbidden, unless the environment variable will be set to ok.
From de login page I'll get information in a hidden field in order to determine if the user-password is correct. If is incorrect, the user will be sent another time to login page. Other wise I would like set the variable PASS_OK for get in the subdirectory "menu".

Is it possible?
LVL 43

Assisted Solution

ravenpl earned 999 total points
ID: 24170148
The problem is that someone has to set this env variable first - it could be the cgi/php script - hence it has to be run first - but apache denies the access :(
So instead of env var You could verify if cookie/get/post variable is set - though it's not security (say security by obscurity).
Unfortunately, if the auth isn't apache based, apache cannot verify if user is authenticated or not - and we back in the first line (the egg chicken problem).

What could be implemented (it's idea only).
Your login page sends out a cookie, so client will return it all subsequent requests, the mod_rewrite is capable of running subrequests passing the cookie (it has to be to apache unprotected folder) - the subrequest could then return whether user is authenticated or not.

But I have never implemented such thing. Either You will examine it works by Yourself, or other expert will aid You with this.

Author Closing Comment

ID: 31571051

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are numerous questions about how to setup an IBM HTTP Server to be administered from WebSphere Application Server administrative console. I do hope this article will wrap things up and become a reference for this task. You need three things…
The title says it all. Writing any type of PHP Application or API code that provides high throughput, while under a heavy load, seems to be an arcane art form (Black Magic). This article aims to provide some general guidelines for producing this typ…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses
Course of the Month18 days, 18 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question