1

I have a standard .htaccess for Yii 1.1, to which I added http based authorization.

When I added the password protection, the Rewrite Condition RewriteCond %{REQUEST_FILENAME} !-f stopped working, and now static file requests are processed through index.php

But actually the password protection doesn't work either, I can just not enter any login data and click login, or click cancel, and the site will show up anyway.

What might be happening here?

I tried every option to address the passwd file, used the complete path, used ~ relative path, and current directory relative path as in the code here, but neither worked.

I created the .htpasswd file with an online tool, I believe it to be ok, but if it was malformed, shouldn't it just block access instead of granting it? How come I'm asked for a password, none is given and then it lets me go though?

.htaccess: 

AuthType Basic
AuthName "Authorreach Staging"
AuthUserFile .htpasswd
Require valid-user

# if a directory or a file exists, use it directly
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d

# --- Lines relevant to this question end here (I think) ---

# For security reasons, Option followsymlinks cannot be overridden.
#Options +FollowSymLinks
Options +SymLinksIfOwnerMatch
RewriteEngine on

<Files ~ "\.(jpg|jpeg|png|gif|pdf)$">
   order deny,allow
   allow from all
   FileETag MTime Size
</Files>

# otherwise forward it to index.php
RewriteRule . index.php
Petruza
  • 285
  • 3
  • 9
  • It's very unusual to separate your `RewriteCond` and `RewriteRule` directives (by so much!) - it makes it difficult to read and prone to bugs. (Presumably there are no `RewriteRule` directive in between?) "used the complete path" - yes, it will need to be an absolute file system path. So, your current version will not work (relative paths are relative to the `ServerRoot`). – MrWhite Nov 14 '16 at 20:03
  • @w3dk you're right, I re-arranged the RewriteCond to keep the important part at the top, but checked that it still worked the same way. I used the absolute file system path to the .htpasswd file and didn't work either. And anyway, if apache couldn't find the passwd file, shouldn't it stop serving the request? or do I have to add another directive after the auth block to tell it to stop serving the request? – Petruza Nov 15 '16 at 13:44
  • "if apache couldn't find the passwd file, shouldn't it stop serving the request?" - yes, since the `Require valid-user` condition won't have been met. However, I would also expect to see a 500 error. Do you get any errors logged? If you have access to the server config you should increase the `LogLevel` to debug/trace what is going on. – MrWhite Nov 16 '16 at 08:30

0 Answers0