Mod_Rewrite Forums

[tvallier]

Hi,

So this one kinda falls both in rewrite and htpasswd - so I've but it here... If it should have been in the security area I'm sorry.

I'm trying to set up two installs of Wordpress in one account, but I'm looking to password protect one using htpasswd (I was using the cPanel built-in "password protect directories" to do this.

Here's the setup:
WordPress Install #1 - this is the all-access install in /public_html/. The .htaccess reads:

Code: Select all

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress


And WordPress Install #2 - this is the one I'm trying to password protect. It's installed to /public_html/locked/. It's .htaccess reads:

Code: Select all

AuthName "Locked"
AuthUserFile ".passwd"
AuthType Basic
require valid-user

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /locked/
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /locked/index.php [L]
</IfModule>
# END WordPress


So here's what's going on:
> If I don't require login (by removing the AuthType and require lines, or by disabling it via cPanel) eveything works perfectly. Each WordPress install handles the re-writes the way I'd expect them to and acts as if the other one doesn't exist (verified by using a different layout on /public_html/locked/).
> If I do require login (Either by re-adding the lines, or enabling via cPanel) everything reverts back to /public_html/. So what was a valid (and working) page at example.com/locked/contact is now accessing data as if it's example.com/contact.

I was under the (Obviously incorrect) impression that the "-f" and "-d" lines were to have Apache ignore the rules when dealing with a valid file or directory - so I'd assumed that the /public_html/ rules would be ignored when browsing a child folder, and Apache would simply use the .htaccess rules from the child instead. I've also tried a RewriteCond %{REQUEST_URI} !/locked/.* line to attempt to ignore the directory to no avail.

The oddest part is that when I remove the "AuthType Basic" and "require valid-user" lines from the .htaccess in the locked directory, everything functions as it should - but then it's not being password protected.

Any idea how I can make this work?

[richardk]

It's possibly a problem with the ErrorDocument (401) for failed authentication. Try adding

Code: Select all

ErrorDocument 401 /a-file-that-exists

You can probably combine it into one .htaccess file in your document root with

Code: Select all

<IfModule mod_rewrite.c>
  RewriteEngine On

  # BEGIN WordPress
  RewriteCond %{SCRIPT_FILENAME} !-f
  RewriteCond %{SCRIPT_FILENAME} !-d
  RewriteRule ^(locked/)?. /$1index.php [L]
  # END WordPress
</IfModule>