Prevent access to parent URL but not its children

Question

On a Debian VPS I run an Apache 2.4.56 web server and I want to prevent any access to a parent URL, for instance

https://example.com/participants

while allowing access to any of its children, for instance

https://example.com/participants/joebloggs

https://example.com/participants/janedoe

https://example.com/participants/johndoe

The parent URL I want to block is a db-generated page that shows a listing of all the users. I do not want to serve this page, only its children.

I tried the following in my apache2.conf

<Location /participants>
   Order Allow,Deny
</Location>
<Location /participants/*>
   Order Deny,Allow
</Location>

and

<Location /participants/>
        Options None
        AllowOverride None
        Require all denied
</Location>
<LocationMatch /participants/*>
        Require all granted
</LocationMatch>

but both sets of directives return 301 - Forbidden for both parent and children URLs.

What's the right approach?

score 0 · Accepted Answer · answered Sep 28 '23 at 15:36

0

These directives seem to do the job

<LocationMatch "^/participants/$">
    Require all denied
</LocationMatch>
<LocationMatch "^/participants/[^/]+$">
    Require all granted
</LocationMatch>

answered Sep 28 '23 at 15:36

Dave White

119
5

Prevent access to parent URL but not its children

1 Answers1