Apache Doesn’t Show Protected Folders… Foo

After setting up a nice download area with password protection I ran into an interesting issue. And I don’t know why I haven’t encountered that problem before. It’s not that I never set up Apache configurations or have never heard of mod_auth and mod_autoindex.

But now to the problem itself. I had a set up for a download area and added a sub-folder that needed password protection. Here is the configuration:

<Directory /srv/www/myroot/>
         Options Indexes FollowSymLinks MultiViews
         AllowOverride None
         Order allow,deny
         Allow from all
</Directory>
<Directory /srv/www/myroot/downloads/protected/>
         Options Indexes FollowSymLinks MultiViews
         AllowOverride None
         Order allow,deny
         Allow from all
         AuthType Basic
         AuthName "Download area for Foo Bar"
         AuthUserFile /etc/apache2/private/htpasswd
         Require user me myself
</Directory>

Looks good, doesn’t it? Well, not 100% good. The folder protected didn’t show up in the directory index. After some additional coffee, a couple of face palms and a quick browse through Google and the Apache documentation I found the culprit. The setting ShowForbidden in the options for mod_autoindex. If it is not set everything that is forbidden or needs authentication will not show up in the directory index. Here is the tweaked version of the configuration (change in bold):

<Directory /srv/www/myroot/>
         Options Indexes FollowSymLinks MultiViews
         IndexOptions +ShowForbidden
         AllowOverride None
         Order allow,deny
         Allow from all
</Directory>
<Directory /srv/www/myroot/downloads/protected/>
         Options Indexes FollowSymLinks MultiViews
         AllowOverride None
         Order allow,deny
         Allow from all
         AuthType Basic
         AuthName "Download area for Foo Bar"
         AuthUserFile /etc/apache2/private/htpasswd
         Require user me myself
</Directory>