.htaccess, mod_rewrite, and basic authentication

Asked 30/8, 2012 at 19:21 Answered 3/2, 2016 at 17:39

Solved wordpress .htaccess mod-rewrite basic-authentication

I am working on a Wordpress site, and my pages are using a permalink structure that mod_rewrites them to look like directories. For a few pages I want to use Basic Authentication to password protect a few of the pages. How would I write this in my .htaccess file? Am I protecting the file, or the rewritten address?

Staphylorrhaphy answered 30/8, 2012 at 19:21 Comment(1)

The only thing that came close to being successful is, I made a directory named the same as the friendly URL (i.e. /friendlyurl/) and put an .htaccess file in there requesting authentication. Going to the page, I was asked for credentials and then sent to a 403 Forbidden error. – Staphylorrhaphy 30/8, 2012 at 20:21

You won't need mod_rewrite for this, hopefully, this should do the trick:

SetEnvIfNoCase Request_URI ^/some/path/to/protect require_auth=true
SetEnvIfNoCase Request_URI ^/another/protected/path require_auth=true

# Auth stuff
AuthUserFile /var/www/htpasswd
AuthName "Password Protected"
AuthType Basic

# Setup a deny/allow
Order Deny,Allow
# Deny from everyone
Deny from all
# except if either of these are satisfied
Satisfy any
# 1. a valid authenticated user
Require valid-user
# or 2. the "require_auth" var is NOT set
Allow from env=!require_auth

The mod_auth and mod_env modules should have precidence over mod_rewrite, so your fake directory structure should stay the same. You'd just need to fill out a SetEnvIfNoCase Request_URI ^/some/path/to/protect require_auth=true for each one, then fill out the rest of the auth stuff to suit your needs.

Freezedry answered 30/8, 2012 at 21:15 Comment(2)

Well, I don't completely understand why that did it, but… that did it! Thank you so much! I was sweating this for half of the day! – Staphylorrhaphy 30/8, 2012 at 22:47

@Staphylorrhaphy Essentially, if the require_auth environment variable is not set, there is no need for authentication. The SetEnvIfNoCase directives at the top sets that variable if the request is for certain directories (whether they exist or not). – Freezedry 30/8, 2012 at 22:50

The only problem I have with this solution is that clicking the cancel button will show the protected page. I tried to solve this by using:

RewriteCond %{REMOTE_USER} !user
RewriteRule ^/protected-page /unauthenticated-page [R=401]

But that didn't work. I'm not sure why.

To solve the problem quick and dirty I added

ErrorDocument 401 "You don't have access."

To create a redirect I used this

ErrorDocument 401 '<html><head><meta http-equiv="refresh" content="0; url=/unauthenticated-page" /></head><body></body></html>'

Violaviolable answered 31/3, 2015 at 8:46 Comment(1)

The dirty trick works, Cpanel was giving me headaches for the last week... – Monadelphous 12/7, 2018 at 8:44

For those who came here with same problem as me, with .htaccess like this

AuthType Basic
AuthName "some_name"
AuthUserFile "/path/to/password/passwd"
require valid-user
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
</IfModule>

Recommended topics

Hot tags