UNPROTECTING A DIRECTORY IN APACHE

After having set up the Apache Web server [1], one of the first things most developers learn is how to protect a directory with an .htaccess file. But how do you unprotect a directory?
Say you've used an .htaccess file like this one (or the main Apache configuration file) to protect either a directory of your site or the entire site so that you need a valid user name and password to access it:
AuthType Basic
AuthName "Restricted Directory"
AuthUserFile /web/users
Require valid-user

Now this restriction will of course apply to all subdirectories as well. So what do you do if you want to open one of those subdirectories for public access? If you check the documentation, there is actually no way to switch off the Require directive [2]!

The solution comes from the much lower profile Satisfy directive [3], which controls how the Allow and Deny directives work together with the Require directive. By default, if you use Allow/Deny to restrict the IPs from which browsers may connect and you also switch on user authentication with Require, browsers must satisfy both requirements -- they must come from an acceptable IP and they must provide valid authentication credentials.

In order to remove password protection from a directory, use the Satisfy Any directive so that acceptable IP addresses need not provide authentication credentials in that directory. Then set Order Deny,Allow and Allow from all for that directory, opening it for public access.

Here's what the .htaccess file for the subdirectory should look like:

Satisfy Any
Order Deny,Allow
Allow from all

There you have it -- a publically accessible directory within a password-protected directory or site!

[1] http://httpd.apache.org/
[2] http://httpd.apache.org/docs-2.0/mod/core.html#require
[3] http://httpd.apache.org/docs-2.0/mod/core.html#satisfy