I try to protect the access to a subdirectory by http auth using .htaccess file configuration.
This is the full working code for apache 2.4 in my case.
# Conditionally set environment variable BACKEND_PROTECTION (version for apache 2.4)
<If "%{HTTP_HOST} == 'www.somedomain.de'">
SetEnvIf REQUEST_URI "^/typo3/" BACKEND_PROTECTION
</If>
<If "%{HTTP_HOST} == 'www.someotherdomain.de'">
SetEnvIf REQUEST_URI "^/typo3/" BACKEND_PROTECTION
</If>
<RequireAny>
<RequireAll>
Require not env BACKEND_PROTECTION
Require all granted
</RequireAll>
<RequireAll>
AuthType Basic
AuthName "Protected URI"
AuthUserFile /var/www/config/.htpasswd
Require valid-user
</RequireAll>
</RequireAny>
Now I need to additionally exclude a subdirectory of that directory from authentification, so this is what I tried.
<If "%{HTTP_HOST} == 'www.somedomain.de'">
SetEnvIf REQUEST_URI "^/typo3/" BACKEND_PROTECTION
</If>
<If "%{HTTP_HOST} == 'www.someotherdomain.de'">
SetEnvIf REQUEST_URI "^/typo3/" BACKEND_PROTECTION
</If>
# disable protection for backend files loaded in frontend
SetEnvIf REQUEST_URI "^/typo3/sysext/" !BACKEND_PROTECTION
But this does not work, after this code, the following <RequireAny> block from above triggers http authentification as if BACKEND_PROTECTION was stil set.
But if I put the negation inside <If></If> it works as expected.
<If "%{HTTP_HOST} == 'www.somedomain.de'">
SetEnvIf REQUEST_URI "^/typo3/" BACKEND_PROTECTION
SetEnvIf REQUEST_URI "^/typo3/sysext/" !BACKEND_PROTECTION
</If>
<If "%{HTTP_HOST} == 'www.someotherdomain.de'">
SetEnvIf REQUEST_URI "^/typo3/" BACKEND_PROTECTION
SetEnvIf REQUEST_URI "^/typo3/sysext/" !BACKEND_PROTECTION
</If>
Why is it that way? What does the following statement taken from the If-Documentation exactly mean?
Description: Contains directives that apply only if a condition is satisfied by a request at runtime
Is the other code inside .htacces not processed during the same runtime? Or just in a earlier stage of that runtime during some kind of pre-compile step?
