.htpasswd and .htaccess question


Hi. I’ve got a question about using .htaccess and .htpasswd files to control access to my domain.

I know how to password protect my domain root, which also protects all of the directories below it.

And I know how to leave the root itself UN-password protected and to selectively password protect specific sub directories.

But is it possible to do the opposite of that: keep the domain root pw protected and specify a subdir to NOT be pw protected? This seems like it should be possible, but I can’t figure out a way to do it, or find any info on this.

Is this in fact possible?



It appears that the solution is to create a .htaccess file in the unprotected directory with only this line:

Satisfy any

But I have yet to test this.



Hi. Thanks for the reply. That seems to work. An index.html page in that directory shows up without the need for a user ID and pw, but the prompt for the ID/pw still comes up. It can be dismissed by cancelling out. So it would be nice to eliminate that. Hmmm… have to do some additional research. I found this site by including “satisfy any” in my search. Looks promising:


From: SetEnvIf, Authentication

SetEnvIfNoCase Request_URI / HTTPMY_ROOT Order Deny,Allow Deny from All Allow from env=HTTPMY_ROOT Satisfy Any Thats a fast way to do it. You might want to take a look at mod_rewrite or mod_security if your trying to secure something.

Kinda interesting question Nico :slight_smile:

AskApache Web Development Blog


Thanks for the reply, AskApache.

In the .htaccess code you gave me, was I supposed to replace any of those variables, such as the HTTPMY_ROOT with something more specific or is that it?

When I put that code into the .htaccess file, it worked the same as when the file only contained only the Satisfy Any line: The subdir becomes available without a pw, and the index file comes up right away, but there is also a popup prompt for a user name and pw (as though trying to access the pw protected root.) That prompt can be canceled without providing either, and then the page is fully available (and, I assume, any other pages in or under that subdir, though I’ve not checked this.)

But is there a way to eliminate that sign in prompt, or is that just an inevitable byproduct of accessing the unprotected subdir of an otherwise protected domain?


Oh… glad you found the question interesting! I’ve bookmarked askapache.com. It looked quite helpful… though the music that plays from the home page, while it sounds quite nice, still managed to scare the $#!% out of me when it came on unexpectedly at full vol! :slight_smile:



This should work, let me know … i fixed the volume issue! Glad for the tip

[code]SetEnvIf Request_URI ^/$ HTTP_MY_ROOT

AuthName "Protection"
AuthUserFile /home/user/f/.htpasswd
AuthType Basic
Require valid-user
Order Deny,Allow
Deny from All
Allow from env=HTTP_MY_ROOT
Satisfy Any
[/code]AskApache Web Development Blog


Hey AskApache. I appreciate your looking into that!

The new code isn’t quite doing it. Note that I’m placing it in the dir that I want to UNprotect, say, www.domain.com/public/ even after I change the AuthUserFile path to point to the .htpasswd file in my site root. As for the Authname, I have to admit I’m just taking guesses as to what I might change that to, or if it needs to be changed at all. On all but one variation of this code, I get an “Authorization Required” notice.

That variation is only thing that’s worked so far is to simply have only Satisfy Any in the .htpasswd file at domain.com/public/. With that alone, here’s what happens:

I can get into that specific folder without a pw – the index page comes up right away – but the browser still immediately pops up the usual sign in prompt window, as though trying to access the root. That prompt can be canceled without generating any error and the page remains visible. But, the prompt reappears when trying to navigate within that folder, e.g., when trying to go to public/page2.html, it again pops up and can agin be dismissed without error. Then, using the Previous button to return to the already viewed public/index.html again causes the same prompt, which can again be dismissed. Etc. etc.

I’m guessing that HTTP_MY_ROOT is a variable I need to change to something else. Or to perhaps put all of this in the .htpasswd file located in my site root. Is that the case? (I’m totally new to Apache stuff, if that wasn’t already obvious! Though I do have XAMPP installed on my local computer and am running a local installation of Movable Type, and that’s quite useful and fun.)

Thanks again!


Or it could be something as simple as your browser is requesting a file on a password protected area of the site, a lot of HTTP requests occur in the background, the only way to check is by using a tool like WireShark, or you can check the servers access logs for your domain located in ~/logs/domain.tld/http/access.log

Using a tool like wireshark is how I figure stuff like this out, its especially useful for debugging apache and basic authorization.

You can set wireshark to only capture requests to/from your server and/or limited to HTTP only.

If it turns out its something like your browser just requesting a favicon or perhaps an old internet explorer file that is requesting 304 If Modifieds then you will save yourself a lot of time.

Good luck~

[color=#00CC00] _ _| _ _ _ _|_ _ (_|_\|<(_||_)(_|(_| |(/_ | [/color]