Home/ Questions/Q 8127461
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-06T07:32:18+00:00

I am trying to achieve authenticated file listing in Apache using PHP via Apache’s

  • 0

I am trying to achieve authenticated file listing in Apache using PHP via Apache’s autoindex module.

The way I imagined it was to have Apache run a PHP script as a header file. I’ve managed to get Apache run PHP correctly for the header file and it detects login cookies fine, too. But it seems that Apache runs the header file as a separate request which means if I try to send a redirection header from PHP it is not run.

My (simplified) Apache config:

DocumentRoot "/path/to/files_root"
Alias /~extra "/path/to/extra-data"

<Directory "/path/to/extra-data">
    Options -Indexes -MultiViews +Includes
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

IndexOptions FancyIndexing HTMLTable SuppressHTMLPreamble
AddType text/html .php .html .htm
AddOutputFilter INCLUDES .php
AddHandler application/x-httpd-php .php
HeaderName "/~extra/HEADER.php"

My HEADER.php file:

<?php

if ( ! my_validate_cookie_function()) {
    header('HTTP/1.1 302 Found');
    header('Location: http://login.example.com/');
    exit(1);
}

So, the header isn’t sent to the browser. Setting Apache environment viariables doesn’t seem to work, as they are long gone the moment HEADER.php is finished executing.

The cookie itself is encrypted, hence need for PHP to validate it.

Any suggestions how to achieve the desired effect?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Here’s what I finally ended up with. Kudos go to Scott S who hinted me towards the solution.

    Apache config:

    ServerName listing.example.com
# A path to a location which you wanted listed
DocumentRoot "/path/to/listed/location"

<Directory "/path/to/listed/location">
    # Ignore .htaccess files
    AllowOverride None
    # Disable Apache's own indexing, CGI execution and Apache Includes
    Options -Indexes -MultiViews -ExecCGI -Includes FollowSymLinks
    Order allow,deny
    Allow from all
</Directory>

<Directory "/path/to/php/listing/app">
    Options -MultiViews ExecCGI
    Order allow,deny
    Allow from all
</Directory>

<IfModule dir_module>
    # index.php should not be listed here as we will not want PHP scripts to be executed
    DirectoryIndex index.html index.htm
</IfModule>

<IfModule alias_module>
    # This is for CSS/JS files
    Alias /~media /path/to/php/listing/app/media
</IfModule>

<IfModule xsendfile_module>
    # Because the files listed might be large, we want to pass the file handling
    # to Apache via XSendFile Module
    # @see: https://tn123.org/mod_xsendfile/
    XSendFile on
    XSendFilePath "/path/to/listed/location"
</IfModule>

# Uncomment the two setting below if your listing a mounted drive
# EnableSendfile Off
# EnableMMAP Off

<IfModule rewrite_module>
    RewriteEngine On
    # Make sure there are trailing slashes for Directory URLs
    RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -d
    RewriteRule ^(.*[^/])$ $1/ [R=302,L]
    # Pass all file+dir requests to a PHP handler
    RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -d [OR]
    RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -f
    RewriteRule .* /path/to/php/listing/app/index.php/$0 [L]
</IfModule>

    And (a very simplified version of) my php script:

    <?php

if (my_authentication_check()) {
    $requested_path = realpath($_SERVER['DOCUMENT_ROOT'] . $_SERVER['REQUEST_URI']);
    $filename = substr($requested_path, strrpos($requested_path, DIRECTORY_SEPARATOR) + 1);

    if ($requested_path) {
        if (is_dir($requested_path)) {
            // Show dir contents
            $dir_contents = scandir($requested_path);
        } else {
            // Pass file download to XSendFile module
            header('X-Sendfile: ' . $requested_path);
            header('Content-Type: ' . my_get_file_mime($filename));
            exit;
        }
    } else {
        // display 404 error
    }
} else {
    // redirect to login screen, or display an error... whatever you fancy
}

    I actually use Kohana framework with my own libraries to handle authentication checks, display the listing, etc. You will have to take file permissions into account, too. E.g. on *nix systems you will need to check dirs for executable permission, while on Windows read access is enough.

    • 0