How to disable public access for whole site?

after building some sites with grav i now need to set up a non-public site.

for now i know, i can prohibit public access per page - but i need to keep all pages unpublic.
even with the entry
site.login: true
a non loged in user has access to any media file included in the pages folder.

is there any way to force a login on any url to any non-loged in user?

Thank you in advance for any help


Related Limit site access to logged in users

Greetings - I’m new to Grav myself, but not new to the intertubes LOL
You didn’t mention what server config you’re using ie; O/S and web-server.
But there is a plugin for Grav here called “Login” which seems to fit what you need.

There are several other auth/login plugins as well… “Login OAuth2” and “One Time Login”
and “Login LDAP” to name a few.

If you’re using Apache, then you can put an .htaccess file in your site’s root and it’s got a lot of authentication options. It applies to subdirs and all pages.
Here’s just one useful link I found

I hope this helps!

hi David,

thank you for mentioning the login plugin.

actually this plugin is allready installed and configured.
and in fact there is an option to inherit the login requirements and even an option to protect media files residing in protected page folder.

unfortunately this only works if the pages or files are requested by a “normal” url. e.g. /myParentFolder/page.
The problem appears in the following situation:

  1. i use numerical prefixes to order the parentFolder and pages
  2. now i for example want to present all media files within subfolder using a simple loop to get the url() from any media file, the url is calculated as /user/pages/.page (or path)
  3. in this case i recognized, that the given url() ist NOT protected anymore.

so there are three possible mistakes:

  1. i misconfigured something - which i would think is most likely
  2. the plugin does not a good job, just prevent files from beeing loaded via given url
  3. the method to get the url() responds little too much from the file path (for now it happens on a xampp on windows)

However - inspecting this problem i noticed, that the last example of /user/pages/.page (or path)/.subpage/ would always be public - i think it happens due to the inserted "./user/pages/. " part of the url - but this is always reacheble.

since a simple .htaccess logon would not show any hints to dsgvo on the logon dialog this is not an option.

so i am still stuck at this

kind regards

after getting this problem fixed, the site will live on an apache or similar, proxyPassed by another apache within a virtualHost directive.
both running on CentOS]


You can try the maintenance plugin… that might give you the options you need.

Hi, could you solve it? Thank you.