.htaccess authentication problem, it is not asking for password due to a RewriteRule

[guillof]

In a site I have enabled .htaccess authentication. It worked fine in Plesk, and it is working fine in a debian server test site (it has no control panel).
But in cPanel this directive of .htaccess

RewriteRule .* index.php [L]

For some reason disable the authentication, at least for the root folder and some subfolders. Any idea what could be the cause of this?

 

[cPanelMichael]

Hello

Could you let us know which entries are added to the .htaccess file for password authentication? Are these entries added before or after the Mod_Rewrite rules? Did you use the "Password Protect Directories" option in cPanel to require authentication? It's documented at:

Password Protect Directories - Documentation - cPanel Documentation

Thank you.

 

[guillof]

Sure:

AuthName "Password Protected Area"
AuthType Basic
AuthUserFile /home/[USER]/public_html/.htpasswd
require valid-user

at the beginning of the .htaccess (also tried at the end, same result)

Yes, I tried with the Password Protect Directories function, but same result.

 

[Infopro]

at the beginning of the .htaccess (also tried at the end, same result)

Please post the full htaccess, it seems to me you're doing something wrong there.

 

[guillof]

Here it is:

AuthName "Password Protected Area"
AuthType Basic
AuthUserFile  /home/[USER]/public_html/.htpasswd
require valid-user


############################################
## default index file

  DirectoryIndex index.php

<IfModule mod_php5.c>

############################################
## adjust memory limit

  php_value memory_limit 256M
  php_value max_execution_time 18000

############################################
## disable magic quotes for php request vars

  php_flag magic_quotes_gpc off

############################################
## disable automatic session start
## before autoload was initialized

  php_flag session.auto_start off


###########################################
# disable user agent verification to not break multiple image upload

  php_flag suhosin.session.cryptua off

###########################################
# turn off compatibility with PHP4 when dealing with objects

  php_flag zend.ze1_compatibility_mode Off

</IfModule>

<IfModule mod_security.c>
###########################################
# disable POST processing to not break multiple image upload

  SecFilterEngine Off
  SecFilterScanPOST Off
</IfModule>

<IfModule mod_deflate.c>


</IfModule>

<IfModule mod_ssl.c>

############################################
## make HTTPS env vars available for CGI mode

  SSLOptions StdEnvVars

</IfModule>

<IfModule mod_rewrite.c>

############################################
## enable rewrites

  Options +FollowSymLinks
  RewriteEngine on

############################################
## rewrite API2 calls to api.php (by now it is REST only)

  RewriteRule ^api/rest api.php?type=rest [QSA,L]

############################################
## workaround for HTTP authorization
## in CGI environment

  RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

############################################
## TRACE and TRACK HTTP methods disabled to prevent XSS attacks

  RewriteCond %{REQUEST_METHOD} ^TRAC[EK]
  RewriteRule .* - [L,R=405]

############################################


## redirect for mobile user agents

  #RewriteCond %{REQUEST_URI} !^/mobiledirectoryhere/.*$
  #RewriteCond %{HTTP_USER_AGENT} "android|blackberry|ipad|iphone|ipod|iemobile|opera mobile|palmos|webos|googlebot-mobile" [NC]
  #RewriteRule ^(.*)$ /mobiledirectoryhere/ [L,R=302]

############################################
## always send 404 on missing files in these folders

  RewriteCond %{REQUEST_URI} !^/(media|skin|js)/

############################################
## never rewrite for existing files, directories and links

  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteCond %{REQUEST_FILENAME} !-l

############################################
## rewrite everything else to index.php

  RewriteRule .* index.php [L]  # Line that is causing issues

</IfModule>


############################################
## Prevent character encoding issues from server overrides
## If you still have problems, use the second line instead

  AddDefaultCharset Off
  #AddDefaultCharset UTF-8

<IfModule mod_expires.c>

############################################
## Add default Expires header

  ExpiresDefault "access plus 1 year"

</IfModule>

############################################
## By default allow all access

  Order allow,deny
  Allow from all

###########################################
## Deny access to release notes to prevent disclosure of the installed Magento version

  <Files RELEASE_NOTES.txt>
  order allow,deny
  deny from all
  </Files>

############################################

 

[guillof]

Any ideas?

 

[Infopro]

This appears to be a magento htaccess. Have you made any changes to this file on your server manually other than the password protection you have at top (assuming you did)? If no, you could try and replace this with the default htaccess for magento you started with, and then password protect the directory from within cPanel's tool for that.

If that's doesn't resolve it, you might need to speak with magento support about this.

When you mention "some sub folders" do they have their own password protection or htaccess in them?

 

[guillof]

When you mention "some sub folders" do they have their own password protection or htaccess in them? ​

No.

I think this could be a related problem. Access to: example.fi/. An authentication window will appear, press cancel, and it is possible to access the content .

I created the authentication for this site using cPanel. The .htaccess (a standard Magento ,htaccess, minus the comments):

  DirectoryIndex index.php

<IfModule mod_php5.c>
  php_value memory_limit 10048M
  php_value max_execution_time 18000
  php_flag magic_quotes_gpc off
  php_flag session.auto_start off
  php_flag suhosin.session.cryptua off
  php_flag zend.ze1_compatibility_mode Off
</IfModule>

<IfModule mod_security.c>
  SecFilterEngine Off
  SecFilterScanPOST Off
</IfModule>

<IfModule mod_ssl.c>
  SSLOptions StdEnvVars
</IfModule>

<IfModule mod_rewrite.c>
  Options +FollowSymLinks
  RewriteEngine on
  RewriteRule ^api/rest api.php?type=rest [QSA,L]
  RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteCond %{REQUEST_METHOD} ^TRAC[EK]
  RewriteRule .* - [L,R=405]
  RewriteCond %{REQUEST_URI} !^/(media|skin|js)/

  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteCond %{REQUEST_FILENAME} !-l
  RewriteRule .* index.php [L]
</IfModule>

  AddDefaultCharset Off

<IfModule mod_expires.c>
  ExpiresDefault "access plus 1 year"
</IfModule>

  Order allow,deny
  Allow from all

  <Files RELEASE_NOTES.txt>
  order allow,deny
  deny from all
  </Files>

RewriteEngine on
RedirectMatch 404 /\.git

AuthType Basic
AuthName "Password Protected Area"
AuthUserFile "/home/USER/.htpasswds/subdomains/qa/passwd"
require valid-user

For the record, this doesn't seems like a Magento issue. In the authentication works fine with the same files/dv in a different server.

 

[cPanelMichael]

I suggest temporarily saving and then removing all entries from this .htaccess file, then setting up the "Password Protect" option again in cPanel to see if the issue continues without the custom Mod_Rewrite rules.

Thank you.