Allow files to be listed when viewing a directory but protected (via HTTP authentication) when accessed directly
I'm protecting the CSV files in that directory. They disappear when that auth directive is set. It shows up when I remove it. I want to be able to at least see the files, but when accessing these files it would offer a auth prompt.
When a directory listing is generated using mod_autoindex, an internal subrequest is issued for each file that appears in the directory listing. When using a <FilesMatch "^(.*).csv$"> container then it is also being processed for these subrequests and consequently the entry of these files in the directory listing is also blocked.
An alternative to using the <FilesMatch> directive is to use an <If> expression and test against THE_REQUEST server variable instead. This is then only successful when the .csv files are actually requested by the user and not when browsing the directory listing.
For example:
# Directory listings (mod_autoindex) need to be enabled
Options +Indexes
# Protect CSV files from being accessed, but still visible in directory listing
<If "%{THE_REQUEST} =~ m#\.csv(\s|\?)#">
AuthName "Dialog prompt"
AuthType Basic
AuthUserFile /xxxxx/test
Require valid-user
</If>
THE_REQUEST contains the first line of the HTTP request. eg. GET /foo/test.csv HTTP/1.1 (in the case of a GET request for /foo/test.csv) - and does not change throughout the request. So when requesting the directory itself, eg. /foo/ then the enclosed block is not processed and the listing of these files are not blocked.
The added complication is that THE_REQUEST contains the entire URL as requested, which could include a query string. So, the check for (\s|\?) (ie. whitespace or a literal ?) is to avoid the password check being bypassed by simply including a query string. eg. /foo/test.csv?anything.