httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ralph Kutschera <>
Subject [users@httpd] Re: <Location /> for a whole site BUT one directory
Date Mon, 04 Aug 2008 09:57:22 GMT
André Warnier schrieb:
> André Warnier wrote:
>> Ralph Kutschera wrote:
>>> Hallo list!
>>>   I've been searching the archive but it seems there isn't yet a 
>>> solution to this:
>>>   I would like to have a whole site to be accessed only by user/passwd:
>>> <Location />
>>>   AuthXXX [..]
>>> </Location>
>>>   Only one directory should be accessible without authentication:
>>> <Location /public>
>>>   Order Allow,Deny
>>>   Allow from All
>>> </Location>
>>>   This does not work. I'm getting asked for user/passwd whenever I 
>>> try to access
> On second thought..
> The answer may be in the Apache doc.  It is well-hidden, but it's there.
> See
> :
> section : Removing controls in subdirectories
> It looks like by just adding "Satisfy any" in the <Location /public> 
> section , it may do the trick.
> Try it and tell, I am interested.

Unfortunately it doesn't work. It's again the <Location /> directive 
that comes up. With the test mentioned above:

<Location />
   AuthName "Server"
   AuthXXX [..]

   Order Allow,Deny
   Allow From All

   Satisfy All

<Location /public>
   AuthName "Public"
   AuthXXX [..]

   Order Allow,Deny
   Allow From All

   Satisfy any

Here, I'm not getting asked for the "Public" realdm but again for the 
"Server" realm :(

> By the way, I think that it would be safer to define this via 
> <Directory> sections than via <Location>.
> For <Location />, it does not matter, because that's going to be the 
> same as you document root no matter what.
> But, if your server were to be on a host whose file names are 
> case-insensitive (like Windows), then a user requesting a URL like 
> "/Public/x" would not fall under the conditions that apply to 
> "/public/x" (and nevertheless get the document).

My server will always be case-sensitive. So I don't care :-)

My intention was to protect a virtual host from URL-attacks as there are 
some applications written by myself and I'm no professional. There are 
some few users who will get access as I can trust them.
And then there should be a /public directory that can be accessed by anyone.


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message