mod_rewrite conflicting with htpasswd protection

The root of my web site has a .htaccess file with mod_rewrite
configuration, as follows:

# Various rewrite rules

RewriteEngine on

# Rewrite URLs of the form 'index.php?q=x':
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]


So all requests that do not resolve to real files or directories are
rewritten as index.php?q=. From here on, it's all
handled by my CMS (Drupal - drupal.org).

I have a few subfolders where I keep other stuff that is not part of the
CMS. Up until now, I've been able to access such subfolders, e.g.
www.mysite.com/scrapbook/, without any problem. But today, I tried to
password-protect one of my subfolders. I put a .htaccess file in the
subfolder, with this code:

AuthType Basic

AuthName "Private area"

AuthUserFile /path/to/htpasswd

Require valid-user

After I uploaded this .htaccess file, when I tried to access the
subfolder, it no longer worked! Instead, mod_rewrite kicked in and
redirected me to index.php.

I tried commenting out the mod_rewrite code (shown at top of this post)
in the .htaccess file in the root directory. When I did this, I was able
to access the subfolder fine, AND the htpasswd protection worked 100%
(so my .htpasswd path is fine, mod_auth is installed, etc). When I
un-commented the code in the root .htaccess file, it once again
redirected me to index.php.

If I remove the .htaccess file in the subfolder, then I can access the
subfolder fine, but it has no password protection (which is what I'm
trying to give it!).

So basically it's a really weird problem:
- if mod_rewrite is off, htpasswd auth works fine
- if mod_rewrite is on and htpasswd is off, folder can be accessed
- if mod_rewrite is on and htpasswd is also on, folder cannot be accessed

I would have thought that it's impossible for mod_rewrite and mod_auth
to conflict with each other, but evidently this is what's happening. Any
ideas on how to fix this?

Thanks,

Jeremy.

Re: mod_rewrite conflicting with htpasswd protection

"Jeremy Epstein" schreef in bericht
news:423e3b65$0$26225$5a62ac22@per-qv1-newsreader-01.iinet.n et.au...
> The root of my web site has a .htaccess file with mod_rewrite
> configuration, as follows:
> # Various rewrite rules
>
> RewriteEngine on
> # Rewrite URLs of the form 'index.php?q=x':
> RewriteCond %{REQUEST_FILENAME} !-f
> RewriteCond %{REQUEST_FILENAME} !-d
> RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
>
>
> So all requests that do not resolve to real files or directories
That applies to any and all files in /scrapbook/ too ...

> I have a few subfolders where I keep other stuff that is not part of the
> CMS. Up until now, I've been able to access such subfolders, e.g.
> www.mysite.com/scrapbook/, without any problem. But today, I tried to
> password-protect one of my subfolders. I put a .htaccess file in the
> subfolder, with this code:
> AuthType Basic
> AuthName "Private area"
> AuthUserFile /path/to/htpasswd
> Require valid-user
>
> After I uploaded this .htaccess file, when I tried to access the
> subfolder, it no longer worked! Instead, mod_rewrite kicked in and
> redirected me to index.php.
rewrite is likely to kick in before others had a chance to add the trailing
slash and (index)filename.
An extra condition like
RewriteCond %{REQUEST_FILENAME} !^scrapbook/
should give your cms-rewrite a blind-spot.

> So basically it's a really weird problem:
> - if mod_rewrite is off, htpasswd auth works fine
> - if mod_rewrite is on and htpasswd is off, folder can be accessed
> - if mod_rewrite is on and htpasswd is also on, folder cannot be accessed
Apache walks down the path looking for .htaccess files in each folder
traversed and handles them in the order found.
Your rewrite at the .htaccess at document-root is diverting the request
_away_ from the folder /scrapbook/, thus its .htaccess is never processed.


HansH

Re: mod_rewrite conflicting with htpasswd protection

> > After I uploaded this .htaccess file, when I tried to access the
> > subfolder, it no longer worked! Instead, mod_rewrite kicked in and
> > redirected me to index.php.
> rewrite is likely to kick in before others had a chance to add the trailing
> slash and (index)filename.
> An extra condition like
> RewriteCond %{REQUEST_FILENAME} !^scrapbook/
> should give your cms-rewrite a blind-spot.

Already tried adding an extra condition just like that... had no
effect.

> > So basically it's a really weird problem:
> > - if mod_rewrite is off, htpasswd auth works fine
> > - if mod_rewrite is on and htpasswd is off, folder can be accessed
> > - if mod_rewrite is on and htpasswd is also on, folder cannot be accessed
> Apache walks down the path looking for .htaccess files in each folder
> traversed and handles them in the order found.
> Your rewrite at the .htaccess at document-root is diverting the request
> _away_ from the folder /scrapbook/, thus its .htaccess is never processed.

It's a bit more complicated than that. As I said, when the htpasswd
directives in the /scrapbook/ folder are removed, then the rewrite at
document-root DOES NOT divert the request. But when the htpasswd
directives are present in the /scrapbook/ folder, then the rewrite
DOES divert the request.

Since writing the original post, I've since performed additional
testing regarding this problem. I'm having the problem on my hosted
server, which is running Apache 1.3.33 on a Linux system. I tried
reproducing the problem on my local test environment, which is running
Apache 2.0.50 on WinXP (SP1). The problem does not occur in my test
environment, even though I set up folders and .htaccess files EXACTLY
the same way.

So maybe this is a bug in Apache 1.3.33?

Re: mod_rewrite conflicting with htpasswd protection

I have found an alternative way around this problem! Instead of trying
to access the subfolder directly (which doesn't seem to work), I made
the subfolder a subdomain. I am now able to access the subdomain, and
the .htaccess password protection works fine.

For example, say your site is www.coolsite.com, and the subfolder that
you want to password protect is www.coolsite.com/protected. If you try
to access this subfolder with clean URLs and .htpasswd protection on,
and it gives you a 404 not found, then what you can do is:

Make that subfolder a subdomain (e.g. using cPanel).

Then the URL protected.coolsite.com will resolve, and the password
protection will work fine.