.htaccess mod-rewrite conflicting with auth subfolder

Question

.htaccess mod-rewrite conflicting with auth subfolder

I have a website that redirects all requests to files / folders that do not exist in the index file using .htaccess:

RewriteCond %{REQUEST_FILENAME} -s [OR] RewriteCond %{REQUEST_FILENAME} -l [OR] RewriteCond %{REQUEST_FILENAME} -d RewriteRule ^.*$ - [NC,L] RewriteRule !admin/* index.php [NC,L]

There is an admin / folder that has the following: .htaccess for auth:

 AuthType Basic AuthName "admin" AuthUserFile "/path/to/passwd" require valid-user

Adding the auth.htaccess file to "admin /" causes the request to be captured using mod-rewrite instead of providing an authentication response. I tried several different things, trying to get around this (including the following: rewrite htaccess and conflict with authorization ), but could not get any purchase.

Thanks.

EDIT: If I have already authenticated, the rewrite rule allows me to access the "admin /" folder. So it seems like it's an authentication challenge that does something inarticulate.

+4

authentication .htaccess mod-rewrite

ironkeith Jun 29 '10 at 20:17

source share

5 answers

Sorcycat · Answer 1 · 2013-06-09T19:55:16+0000

I had the same question, and I also found this related question: htaccess rewrite and create conflict

One of the answers led me to my problem. Apache tried to find the document for error 401 and error. I added the /401.html document and added it to the .htaccess file with Auth instructions.

ErrorDocument 401 / 401.html

Now it works for me!

Developer · Answer 2 · 2013-11-27T14:22:12+0000

If none of the above actions work for your script, basic authentication can also be performed using a PHP script

 <?php session_start(); if (isset($_SESSION['newlogin'])) { unset($_SESSION['newlogin']); unset($_SESSION['loggedout']); }; $valid_passwords = array ("admin" => "mypass"); $valid_apasswords = array ("admin" => "mypass"); $valid_users = array_keys($valid_passwords); $valid_admin = array_keys($valid_apasswords); $user = $_SERVER['PHP_AUTH_USER']; $pass = $_SERVER['PHP_AUTH_PW']; $avalidated = (in_array($user, $valid_admin)) && ($pass == $valid_apasswords[$user]); $uvalidated = (in_array($user, $valid_users)) && ($pass == $valid_passwords[$user]); $validated = (($uvalidated == true) || ($avalidated == true)) ; if (!$validated || isset($_SESSION['loggedout'])) { $_SESSION['newlogin'] = true; header('WWW-Authenticate: Basic realm="Login Area"'); header('HTTP/1.0 401 Unauthorized'); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Untitled Document</title> </head> <body> <div id="messagebox">Authorisation Required.</div> </body> </html> <?php exit; }; ?>

Matthew J Morrison · Answer 3 · 2010-06-29T20:26:32+0000

when you say you tried the solution from another post, what did your code look like?

Something like that:

 RewriteCond %{REQUEST_URI} !/admin/

I do not understand why this will not work.

David z · Answer 4 · 2010-06-29T20:37:55+0000

Let me suggest a simplified form of rewriting rules:

 RewriteCond %{REQUEST_FILENAME} !-s RewriteCond %{REQUEST_FILENAME} !-l RewriteCond %{REQUEST_FILENAME} !-d RewriteRule !^admin/ index.php [NC,L]

This includes Matthew’s suggestion of checking the path against /admin/ (in .htaccess files you omit the main slash).

You may also need to use

 RewriteBase /

before the first line of RewriteCond .

Improvement · Answer 5 · 2014-10-08T23:36:27+0000

If mod_dir is running on the server, which adds the prevailing forwardslashes / when your rewrite rule conflicts with a folder such as mydomain / mypage / folder_name, mod_dir removes the forward trap at the end of the folder name /, since this is the real directory, if your rules specify in htaccess, so as not to follow the indexes (Options -Indexes), and there is nothing in the folder, then your rules will be fine, if there is anything other than the index in the folder, then expect this to happen with your URL: mydomain / MyPage / folder_name / ? = request MyPage / folder_name

Since this is the standard cPanel configuration, the problem is not your mistake, this is a serious configuration conflict that allows hackers to identify script requests and directory structures.

I have no solution if you cannot disable multivisors in the http.conf server, since most htacces solutions lead to a redirect loop.

This is an unconfirmed conflict / error for cPanel, so do not hold your breath for a solution, and the desktop may consist of putting your wntire project in one folder and calling the internal pages.

.htaccess mod-rewrite conflicting with auth subfolder

More articles: