I'm trying to lock down a tree of directories (but allow through image files) using the following .htaccess rule
AuthType Basic
AuthName "Test Sites. *Please Contact xxxxxxx for access.*"
AuthUserFile /home/www/testsites/.htpasswd
Require valid-user
<FilesMatch "\.(gif|jpe?g|png)$">
Satisfy Any
Allow from all
</FilesMatch>
However, when I try it, I'm still being asked to authenticate against images if the image is not directly within the httpdocs directory.
In other words
http://www.testsites.com/test.jpg would be allowed through, but http://www.testsites.com/sitename/images/test.jpg is asking for authentication.
Any idea why this might be happening?
Try this alternative approach based on mod_setenvif:
SetEnvIfNoCase Request_URI "\.(gif|jpe?g|png)$" ALLOWED
AuthType Basic
AuthName "Test Sites. *Please Contact xxxxxxx for access.*"
AuthUserFile /home/www/testsites/.htpasswd
Require valid-user
Satisfy any
Order deny,allow
Deny from all
Allow from env=ALLOWED