After setting up a nice download area with password protection I ran into an interesting issue. And I don’t know why I haven’t encountered that problem before. It’s not that I never set up Apache configurations or have never heard of mod_auth and mod_autoindex.
But now to the problem itself. I had a set up for a download area and added a sub-folder that needed password protection. Here is the configuration:
<Directory /srv/www/myroot/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory /srv/www/myroot/downloads/protected/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
AuthType Basic
AuthName "Download area for Foo Bar"
AuthUserFile /etc/apache2/private/htpasswd
Require user me myself
</Directory>
Looks good, doesn’t it? Well, not 100% good. The folder protected
didn’t show up in the directory index. After some additional coffee, a couple of face palms and a quick browse through Google and the Apache documentation I found the culprit. The setting ShowForbidden
in the options for mod_autoindex. If it is not set everything that is forbidden or needs authentication will not show up in the directory index. Here is the tweaked version of the configuration (change in bold):
<Directory /srv/www/myroot/>
Options Indexes FollowSymLinks MultiViews
IndexOptions +ShowForbidden
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory /srv/www/myroot/downloads/protected/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
AuthType Basic
AuthName "Download area for Foo Bar"
AuthUserFile /etc/apache2/private/htpasswd
Require user me myself
</Directory>