Password-protect a directory, but not that directory's files?

Solution 1:

Try this in your .htaccess:

Require valid-user

<Files ?*>
    Order allow,deny
    Allow from all
    Satisfy any
</Files>

Here Require valid-user requires any known login. Then you amend this restriction for files with at least one character in their name – this is what the glob pattern ?* for the <Files> section will match –, which effectively means the enclosed rules apply to files, but not to directories.

In the amended rules for files, the key is Satisfy any. It allows the authorization to satisfied by either credentials or IP address. Then you allow any IP address to pass, so requests are always authorised.

So now browsing this directory or any of its subdirectories will require a login, but directly retrieving a file from it won’t.

Which is what you wanted.