.htaccess authentication problem, it is not asking for password due to a RewriteRule
In a site I have enabled .htaccess authentication. It worked fine in Plesk, and it is working fine in a debian server test site (it has no control panel).
But in cPanel this directive of .htaccess
RewriteRule .* index.php [L]
For some reason disable the authentication, at least for the root folder and some subfolders. Any idea what could be the cause of this?
-
Hello :) Could you let us know which entries are added to the .htaccess file for password authentication? Are these entries added before or after the Mod_Rewrite rules? Did you use the "Password Protect Directories" option in cPanel to require authentication? It's documented at: Password Protect Directories - Documentation - cPanel Documentation Thank you. 0 -
Sure: AuthName "Password Protected Area" AuthType Basic AuthUserFile /home/[USER]/public_html/.htpasswd require valid-user at the beginning of the .htaccess (also tried at the end, same result) Yes, I tried with the Password Protect Directories function, but same result. 0 -
at the beginning of the .htaccess (also tried at the end, same result)
Please post the full htaccess, it seems to me you're doing something wrong there.0 -
Here it is: AuthName "Password Protected Area" AuthType Basic AuthUserFile /home/[USER]/public_html/.htpasswd require valid-user ############################################ ## default index file DirectoryIndex index.php ############################################ ## adjust memory limit php_value memory_limit 256M php_value max_execution_time 18000 ############################################ ## disable magic quotes for php request vars php_flag magic_quotes_gpc off ############################################ ## disable automatic session start ## before autoload was initialized php_flag session.auto_start off ########################################### # disable user agent verification to not break multiple image upload php_flag suhosin.session.cryptua off ########################################### # turn off compatibility with PHP4 when dealing with objects php_flag zend.ze1_compatibility_mode Off ########################################### # disable POST processing to not break multiple image upload SecFilterEngine Off SecFilterScanPOST Off ############################################ ## make HTTPS env vars available for CGI mode SSLOptions StdEnvVars ############################################ ## enable rewrites Options +FollowSymLinks RewriteEngine on ############################################ ## rewrite API2 calls to api.php (by now it is REST only) RewriteRule ^api/rest api.php?type=rest [QSA,L] ############################################ ## workaround for HTTP authorization ## in CGI environment RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] ############################################ ## TRACE and TRACK HTTP methods disabled to prevent XSS attacks RewriteCond %{REQUEST_METHOD} ^TRAC[EK] RewriteRule .* - [L,R=405] ############################################ ## redirect for mobile user agents #RewriteCond %{REQUEST_URI} !^/mobiledirectoryhere/.*$ #RewriteCond %{HTTP_USER_AGENT} "android|blackberry|ipad|iphone|ipod|iemobile|opera mobile|palmos|webos|googlebot-mobile" [NC] #RewriteRule ^(.*)$ /mobiledirectoryhere/ [L,R=302] ############################################ ## always send 404 on missing files in these folders RewriteCond %{REQUEST_URI} !^/(media|skin|js)/ ############################################ ## never rewrite for existing files, directories and links RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME} !-l ############################################ ## rewrite everything else to index.php RewriteRule .* index.php [L] # Line that is causing issues ############################################ ## Prevent character encoding issues from server overrides ## If you still have problems, use the second line instead AddDefaultCharset Off #AddDefaultCharset UTF-8 ############################################ ## Add default Expires header ExpiresDefault "access plus 1 year" ############################################ ## By default allow all access Order allow,deny Allow from all ########################################### ## Deny access to release notes to prevent disclosure of the installed Magento version order allow,deny deny from all ############################################0 -
Any ideas? 0 -
This appears to be a magento htaccess. Have you made any changes to this file on your server manually other than the password protection you have at top (assuming you did)? If no, you could try and replace this with the default htaccess for magento you started with, and then password protect the directory from within cPanel's tool for that. If that's doesn't resolve it, you might need to speak with magento support about this. When you mention "some sub folders" do they have their own password protection or htaccess in them? 0 -
When you mention "some sub folders" do they have their own password protection or htaccess in them? No. I think this could be a related problem. Access to: example.fi/. An authentication window will appear, press cancel, and it is possible to access the content . I created the authentication for this site using cPanel. The .htaccess (a standard Magento ,htaccess, minus the comments): DirectoryIndex index.php php_value memory_limit 10048M php_value max_execution_time 18000 php_flag magic_quotes_gpc off php_flag session.auto_start off php_flag suhosin.session.cryptua off php_flag zend.ze1_compatibility_mode Off SecFilterEngine Off SecFilterScanPOST Off SSLOptions StdEnvVars Options +FollowSymLinks RewriteEngine on RewriteRule ^api/rest api.php?type=rest [QSA,L] RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] RewriteCond %{REQUEST_METHOD} ^TRAC[EK] RewriteRule .* - [L,R=405] RewriteCond %{REQUEST_URI} !^/(media|skin|js)/ RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME} !-l RewriteRule .* index.php [L] AddDefaultCharset Off ExpiresDefault "access plus 1 year" Order allow,deny Allow from all order allow,deny deny from all RewriteEngine on RedirectMatch 404 /\.git AuthType Basic AuthName "Password Protected Area" AuthUserFile "/home/USER/.htpasswds/subdomains/qa/passwd" require valid-user
For the record, this doesn't seems like a Magento issue. In the authentication works fine with the same files/dv in a different server.0 -
I suggest temporarily saving and then removing all entries from this .htaccess file, then setting up the "Password Protect" option again in cPanel to see if the issue continues without the custom Mod_Rewrite rules. Thank you. 0
Please sign in to leave a comment.
Comments
8 comments