Password Protect All but One File (htaccess)

by Brett on July 20, 2008

Once in a while need to allow someone access to one file but no other files in the same directory. I often solve this problem by moving the one file to a sub directory and then adding the following to an htaccess file in that same sub directory.

allow from all
satisfy any

This normally works well but is not a perfect solution since it is not always appropriate to move the file to a different directory. So, I took the time and figured out how to password protect everything but one file. Below is the basic password protection that I had in the htaccess file that blocked everything in the directory (and sub-directories).

AuthGroupFile /dev/null
AuthName "A Blog"
AuthType Basic
AuthUserFile /path/to/.htpasswd
require valid-user

Now in order to exclude a file I just had to add the following below the above six lines of code.

<Files "page.html">
  Allow from all
  Satisfy any

Of course this can be taken one step further if you wanted to exclude multiple files from password protection.

<FilesMatch "(page1\.html)|(page2\.html)">
  Allow from all
  Satisfy any
</FilesMatch>

FilesMatch can take a regular expression so you don’t necessarily have to list out each file. The below code will also accomplish the same thing (as above).

<FilesMatch "page[1-2]\.html">
  Allow from all
  Satisfy any
</FilesMatch>
Share This Post

{ 9 comments… read them below or add one }

RL December 30, 2008 at 8:32 am

Thank you sir, you’re a lifesaver :)

Reply

Greg July 15, 2010 at 7:27 am

Good article! Completely solved my problem, I was busy playing with in the httpd.conf…

Reply

Pioul November 21, 2011 at 1:13 am

Hey man, just so you know, a htmlspecialchars() or similar is lacking in the plugin used to print code in this article.
Thus, tags like are not shown.

Reply

Brett June 27, 2012 at 12:50 pm

Thanks for letting me know! A different syntax highlighter was being used when I wrote this in 2008 and it handled the special characters. Anyway, I updated the page and the htaccess code is showing up correctly.

Reply

Jorge Portillo March 14, 2012 at 11:16 pm

You are the shit! thank you very much. You just saved my life

Reply

CP June 14, 2012 at 9:06 am

Simple, yet completely effective. I can now exclude add-on domains from my password protection. Thank you for sharing!

Reply

Kim January 7, 2013 at 9:56 am

Hi there, how would you exclude a specified folder instead of just file(s)?

Reply

john sujtih February 7, 2013 at 7:20 am

Hi
I have a question ,How to protect only one folder ,for example

http://www.example.com must be allow to access but http://www.example.com /admin/ this must restricted by ht-password ,is it possible ? please let me know .Thanks in advance !

Reply

Jani February 22, 2013 at 3:27 am

Are you missing the closing ??

Reply

Leave a Comment

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Previous post:

Next post: