Password protect specific files on root of website

Question

I have had a website running for a while and it has a small following. What I wish to do now is password protect some specific files that sit in the root directory. So I'd like the user not to see any username/password request unless they attempt to access one of these files.

On top of that I also want the user to see a specific message as they are presented with the login request - something like:

Sorry about this, please contact xxx@example.com for a username and password.

However, I've read that the htaccess/AuthName text does not get displayed on the login popup on Chrome so I need an alternative.

Answer 1

I read that the htaccess/AuthName text does not get displayed on the login popup on chrome so I need an alternative.

The "alternative" is to role your own authentication system (which could still use HTTP Authentication together with your own server-side scripts) - which is beyond the scope of this answer (and Webmasters SE). (HINT: You would need to implement a front-controller pattern and rewrite these requests to your server-side script that then handles the authentication and response back to the client.)

A workaround is to set a custom "401 Unauthorised" response (either a simple text string or complete HTML page) with your desired message. But this is only displayed when authentication fails, ie. the user enters an invalid username/password combo and hits "OK" or the password dialog is cancelled.

NB: You still need to set the AuthName directive as this also determines which username/password combo the browser sends as part of the request (after successful authentication).

For example:

# Simple text string
ErrorDocument 401 "Sorry about this, please contact xxx@example.com for a username and password"

OR

# Complete HTML error document containing custom response
ErrorDocument 401 /errordocs/401.html

Then, how you protect the "specific files" really depends on the filenames and perhaps how many.

For example, if there is a pattern to the filenames, eg. They all start with the word "example" then you could wrap the authentication directives in a <Files> wrapper:

<Files "example*.*">
    # Authentication directives go here...
    AuthType Basic
    AuthName "Protected File"
    AuthUserFile "/absolute/file/path/to/password-file"
    Require valid-user
</Files>

The Files directive uses simple wildcard matching. Use FilesMatch to match against a regex. For example, to match a hand full of unrelated .html files then you could do something like:

<FilesMatch "^(one|two|three|four|five)\.html$">
    # Authentication directives go here (see above)
    :
</FilesMatch>

If you have many files then perhaps consider setting an environment variable when one of these files is requested and use this env var in the authentication directives. For example (Apache 2.4):

# Set the AUTH_REQUIRED env var if a protected file is requested
SetEnvIf Request_URI "^/one\.html$" AUTH_REQUIRED
SetEnvIf Request_URI "^/two\.html$" AUTH_REQUIRED
SetEnvIf Request_URI "^/three\.html$" AUTH_REQUIRED
SetEnvIf Request_URI "^/four\.html$" AUTH_REQUIRED
SetEnvIf Request_URI "^/five\.html$" AUTH_REQUIRED
Authentication...
<RequireAny>
    <RequireAll>
        # Unrestricted access to non-protected files
        Require all granted
        Require not env AUTH_REQUIRED
    </RequireAll>
    <RequireAll>
        # Authentication directives go here (see above)
        :
    </RequireAll>
</RequireAny>

Alternatively, use an Apache <If> expression:

# Authentication...
<If "reqenv('AUTH_REQUIRED') == '1'">
    # Authentication directives go here (see above)
    :
</If>

Although, strictly speaking, the above (SetEnvIf directive) is checking the requested URL-path, not the underlying file-path.

This last example is also dependent on other directives you might have in your .htaccess file. For example, if you are doing any URL rewriting then then the above env var may be renamed to REDIRECT_AUTH_REQUIRED. And you will need to check for this in the authentication directives instead.

Answer 2

There are two ways you can approach this. Based on your time and needs, you choose one of those, I am not saying there aren't other methods but those come to mind:

First solution is what MrWhite has shown you, a server-side approach, that is no longer about the files in specific but who get to access what. It's a very advanced way of doing it and sustainable for development.

However, if you are interested to manage content at a smaller degree, you can use the Second Solution : A back-end approach but not server-side, a good light and secure example of that is Joomla.

Create password protected pages that list your files, you can categories and section these lists to different users and require permission for each:

You can do this via restricted access:

https://docs.joomla.org/Restricting_access_to_%22read_more%22

Via ACL:

https://docs.joomla.org/J3.x:Access_Con ... utorial/es

Or you can use an extension:

http://extensions.joomla.org/extension/

---

Pros :

1. Faster, easily configured and edited.

2. You will not have to contain these files or move them but.

Cons :

3. You might wanna stop the files from being indexed by using chmod from your cpanel or ssh, although you can just move them to a new directory.