I have publicly accessible files on my webserver. I'd like to enable AutoIndexing (Options +Indexes) but I'd like to require a password in order to view these listings. I have no problem setting up the Auth but there are complications with the public files and the DirectoryIndex files in that if someone also asks for a directory, and there is an DirectoryIndex file, they shouldn't have to enter a password for this. Only the AutoIndexing should require a password for security reasons.
Here is what I came up with:
Options +Indexes
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} -d
RewriteCond %{REQUEST_FILENAME}index.php -f
RewriteRule ^.*$ %{REQUEST_URI}index.php [R,NE,L]
RewriteCond %{REQUEST_FILENAME} -d
RewriteCond %{REQUEST_FILENAME}index.html -f
RewriteRule ^.*$ %{REQUEST_URI}index.html [R,NE,L]
RewriteCond %{REQUEST_FILENAME} -d
RewriteCond %{REQUEST_FILENAME}index.htm -f
RewriteRule ^.*$ %{REQUEST_URI}index.htm [R,NE,L]
<FilesMatch "^$">
AuthName "My Auth Name"
AuthType Basic
AuthUserFile /path/to/my/.htpasswd
Require valid-user
</FilesMatch>
The FilesMatch bit works fine. Any request for a directory is asked to log in but normal files pass through. That's the easy bit, the hard part is getting the DirectoryIndexes to render without logging in. The rewrite at the top was my failed attempt to redirect the request before it asked for the auth, but no dice, it asks for the auth first no matter what.
I've done about 6 hours of research on this and at this point I'm about to give up. Any help would be appreciated.
Edit: here is an example directory structure.
/images/blah.jpg <- does not require a password
/images/ <- requires a password to view listing
/index.html <- does not require a password
/ <- does not require a password because a DirectoryIndex file exists (index.html)