Protecting everything except /index.html

[Swifty]

I'm setting up a new server where I want everything to require
authorisation with the single exception of index.html in the
documentroot.

So http://example.com/ is open access, as is
http://example.com/index.html but anything else will require ID/pw.

I've set up all sorts of authorisation schemes in the past, but never
one quite like this.

Is there an obvious way to achieve this (or some sneaky trick; I'm
open to inventive mechanisms).

I doubt it will make any great difference, but I'm likely to force
everything to use https in the near future.

--
Steve Swift
http://www.swiftys.org.uk/swifty.html
http://www.ringers.org.uk

[Andre]

Le 25/04/2012 12:46, Swifty a écrit :
> I'm setting up a new server where I want everything to require
> authorisation with the single exception of index.html in the
> documentroot.
>
> So http://example.com/ is open access, as is
> http://example.com/index.html but anything else will require ID/pw.
>
> I've set up all sorts of authorisation schemes in the past, but never
> one quite like this.
>
> Is there an obvious way to achieve this (or some sneaky trick; I'm
> open to inventive mechanisms).
>
> I doubt it will make any great difference, but I'm likely to force
> everything to use https in the near future.
>

The only thing I could think ( for the moment ) is, have everything in
another directory ( or in the level under your DocumentRoot ) and
require authentiction for every other directories.
Your index.html could use HREF to point where it's needed.
André

[Swifty]

On Wed, 25 Apr 2012 16:11:27 +0200, Andre <pas....@ailleur.be> wrote:

>The only thing I could think ( for the moment ) is, have everything in
>another directory ( or in the level under your DocumentRoot ) and
>require authentiction for every other directories.

That's going to be my fallback position. It may even end up as my
preferred alternative, as the server's main purpose is to allow users
to host their own sites via the userdir mechanism.

I'll be the only person with files in the document root; everything
else will be under /home/[userid]/public_html/

However, now I've got this "How would I do that?" question stuck in my
brain, I'm going to carry on trying to find a technical solution.

[BootNic]

In article <t3lfp79ap94rh4dt5...@4ax.com>,

Swifty <steve....@gmail.com> wrote:

> I'm setting up a new server where I want everything to require
> authorisation with the single exception of index.html in the
> documentroot.
>
> So http://example.com/ is open access, as is
> http://example.com/index.html but anything else will require
> ID/pw.
>
> I've set up all sorts of authorisation schemes in the past, but
> never one quite like this.
>
> Is there an obvious way to achieve this (or some sneaky trick;
> I'm open to inventive mechanisms).
>
> I doubt it will make any great difference, but I'm likely to
> force everything to use https in the near future.

For testing purposes I use two configuration files so I don't have to restart
apache with every change.

1. .htaccess

2. .htaccessSSL

.htaccess for port 80

.htaccessSSL for port 443

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
AccessFileName .htaccessSSL
### more configuration directives
</VirtualHost>
</IfModule>

.htaccess:

RewriteEngine on
### no authentication required for index
### allow it to be served without ssl
### everything other then index redirected to ssl
RewriteCond %{REQUEST_URI} !/movies/(index\.(php|htm(l)?))?$ [NC]
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
#########################

.htaccessSSL:

AuthName "Movies"
AuthType Basic
AuthUserFile /var/www/.applecart

<Files "*">
SSLOptions StrictRequire
SSLRequireSSL
require valid-user
</Files>

<FilesMatch "index\.(php|htm(l)?)">
Allow from all
Satisfy any
</FilesMatch>

--
BootNic Fri Apr 27, 2012 10:50 pm
It's not that some people have willpower and some don't. It's that some people
are ready to change and others are not.
*James Gordon*