htaccess not working correctly

[CBG]

Hi,

I install cPanel on a fresh server yestarday and noticed today that .htaccess don't appear to be working as it should.

When Password protect is being used, I need to put 'RewriteEngine off' above it, for it to work.

However this then breaks the Rewrite rules and they don't work.
I just write out the password protect and the URL Rewite works and tried with just the Password Protect in it from AuthType down.

But together they will not.
I have full root access to the server, and can't seem to work it out.

Here is the .htaccess.
The path to the .htaccess is /home/USERNAME/dev.DOMAIN.co.uk/.htaccess

RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?/$1 [L]

RewriteEngine off
AuthType Basic
AuthName "Dev Zone"
AuthUserFile "/home/USERNAME/.htpasswds/dev.DOMAIN.co.uk/passwd"
require valid-user

# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php70” package as the default “PHP” programming language.
<IfModule mime_module>
  AddType application/x-httpd-ea-php70 .php .php7 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit

 

[Jcats]

What if you place the rules above the rewrites?

 

[CBG]

If I put the password protect above the rewrite rules, it ask for username and password, but when you press cancel, it starts to load the page and not give a 401, same if I remove RewriteEngine off

It weird not seen this before.

Also if I put the below at the top, it doesn't work either, just starts to load the page

order deny,allow
deny from all
allow from 127.0.0.1
allow from 192.168.1.5
allow from 192.168.1.6

The 192.168.1.* are replaced with really ips

 

[Jcats]

Then add:

Errordocument 401 default

right below the htpasswd rules like

AuthType Basic
AuthName "Dev Zone"
AuthUserFile "/home/USERNAME/.htpasswds/dev.DOMAIN.co.uk/passwd"
require valid-user
Errordocument 401 default


RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?/$1 [L]

 

[CBG]

Thank you, that did the trick
Feel like a complete doughnut

 

[cPanelMichael]

Hello @CBG,

I'm glad to see that modification helped. Note that I did try reproducing this behavior. I tested with an account using the following entries in the /home/user/public_html/.htaccess file:

# php -- BEGIN cPanel-generated handler, do not edit
<IfModule fcgid_module>
    <IfModule mime_module>
        AddHandler fcgid-script .php .php7 .phtml
    </IfModule>
</IfModule>

# php -- END cPanel-generated handler, do not edit
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?/$1 [L]

I setup two test files in /home/user/public_html/ named index.php and test.php. I then browsed to cPanel >> Directory Privacy and password protected the public_html directory. Upon doing so, the .htaccess file was updated to:

# php -- BEGIN cPanel-generated handler, do not edit
<IfModule fcgid_module>
    <IfModule mime_module>
        AddHandler fcgid-script .php .php7 .phtml
    </IfModule>
</IfModule>

# php -- END cPanel-generated handler, do not edit
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?/$1 [L]
AuthType Basic
AuthName "123"
AuthUserFile "/home/user/.htpasswds/public_html/passwd"
require valid-user

I confirmed that authentication was required, and when entered, the redirects worked as expected. Additionally, failed authentication attempts correctly showed the unauthorized page. Were there any differences to how you tested this?

Thank you.

 

[CBG]

Hi,

The only different it was on a sub-domain and that the PHP to use was at the bottom.
The sub-domain was located outside of the public_html folder, so was in /home/USERNAME/dev.DOMAIN.co.uk/.htaccess

Thanks

 

[cPanelMichael]

Hi,

The only different it was on a sub-domain and that the PHP to use was at the bottom.
The sub-domain was located outside of the public_html folder, so was in /home/USERNAME/dev.DOMAIN.co.uk/.htaccess

Thanks

Hi Garry,

I tested the scenario with a subdomain as well, and confirmed it continued to work properly. Here's a look at the .htaccess file used in the subdomain's document root:

RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?/$1 [L]

# php -- BEGIN cPanel-generated handler, do not edit
<IfModule fcgid_module>
    <IfModule mime_module>
        AddHandler fcgid-script .php .php7 .phtml
    </IfModule>
</IfModule>

# php -- END cPanel-generated handler, do not edit
AuthType Basic
AuthName "123"
AuthUserFile "/home/user/.htpasswds/public_html/test1/passwd"
require valid-user

Do you have another .htaccess file in the parent directory (e.g. public_html/.htaccess) with additional rewrite rules that are inherited by the subdirectory?

Thank you.

 

[CBG]

Hi,

Yes I have the below .htaccess in home/USERNAME/public_html/

RewriteEngine on
RewriteCond %{HTTP_HOST} ^(www.)?DOM-AIN.co.uk$ [NC,OR]
RewriteCond %{HTTP_HOST} ^(www.)?DOM-AIN.uk$ [NC,OR]
RewriteCond %{HTTP_HOST} ^(www.)?DOMAIN.uk$ [NC,OR]
RewriteCond %{HTTP_HOST} ^DOMAIN.co.uk$ [NC]
RewriteRule ^(.*)$ https://www.DOMAIN.co.uk/$1 [R=301,L]

RewriteCond %{HTTPS} off
RewriteRule (.*) https://www.DOMAIN.co.uk/$1 [R=301,L]

RewriteCond %{HTTP_USER_AGENT} libwww-perl.*
RewriteRule .* – [F,L]

FileETag none
Options All -Indexes

<IfModule mod_deflate.c>
   <IfModule mod_setenvif.c>
       <IfModule mod_headers.c>
           SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
           RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
       </IfModule>
   </IfModule>
   <IfModule mod_filter.c>
       AddOutputFilterByType DEFLATE "application/atom+xml" \
                                      "application/javascript" \
                                      "application/json" \
                                      "application/ld+json" \
                                      "application/manifest+json" \
                                      "application/rdf+xml" \
                                      "application/rss+xml" \
                                      "application/schema+json" \
                                      "application/vnd.geo+json" \
                                      "application/vnd.ms-fontobject" \
                                      "application/x-font-ttf" \
                                      "application/x-font-opentype" \
                                      "application/x-font-truetype" \
                                      "application/x-javascript" \
                                      "application/x-web-app-manifest+json" \
                                      "application/xhtml+xml" \
                                      "application/xml" \
                                      "font/eot" \
                                      "font/opentype" \
                                      "font/otf" \
                                      "image/bmp" \
                                      "image/svg+xml" \
                                      "image/vnd.microsoft.icon" \
                                      "image/x-icon" \
                                      "text/cache-manifest" \
                                      "text/css" \
                                      "text/html" \
                                      "text/javascript" \
                                      "text/plain" \
                                      "text/vcard" \
                                      "text/vnd.rim.location.xloc" \
                                      "text/vtt" \
                                      "text/x-component" \
                                      "text/x-cross-domain-policy" \
                                      "text/xml"
    </IfModule>
    <IfModule mod_mime.c>
        AddEncoding gzip              svgz
    </IfModule>
</IfModule>

<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault A0
<FilesMatch "\.(txt|xml|js|css|flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|mp4|m4v|ogg|webm|aac|eot|ttf|otf|woff|svg|jpg|jpeg|png|gif|swf|webp)$">
ExpiresDefault A691200
</FilesMatch>
</IfModule>

<IfModule mod_headers.c>
<FilesMatch "\.(txt|xml|js|css|flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|mp4|m4v|ogg|webm|aac|eot|ttf|otf|woff|svg|jpg|jpeg|png|gif|swf|webp)$">
Header set Cache-Control "max-age=691200"
</FilesMatch>
</IfModule>

RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?/$1 [L]


# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php70” package as the default “PHP” programming language.
<IfModule mime_module>
  AddType application/x-httpd-ea-php70 .php .php7 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit

# BEGIN cPanel-generated php ini directives, do not edit
# Manual editing of this file may result in unexpected behavior.
# To make changes to this file, use the cPanel MultiPHP INI Editor (Home >> Software >> MultiPHP INI Editor)
# For more information, read our documentation (https://go.cpanel.net/EA4ModifyINI)
<IfModule php7_module>
   php_flag display_errors Off
   php_value max_execution_time 90
   php_value max_input_time 60
   php_value max_input_vars 1000
   php_value memory_limit 256M
   php_value post_max_size 256M
   php_value session.gc_maxlifetime 1440
   php_value session.save_path "/var/cpanel/php/sessions/ea-php70"
   php_value upload_max_filesize 256M
   php_flag zlib.output_compression Off
</IfModule>
# END cPanel-generated php ini directives, do not edit

Then for the sub-domain, the .htaccess in my first post.

 

[cPanelMichael]

Hello,

It looks like those rules are the culprit. It's always a good idea to exclude a specific subdirectory from your Mod_Rewrite rules if you don't want them applied. Here's a StackOverflow URL with an example of how to do this:

How to stop sub directory inheriting parent's htaccess rules

Thank you.