0

I have a problem where a RewriteRule in an .htaccess is bypassing authorisation. The same RewriteRule in the server config works, with authorisation, but the one in the .htaccess unfortunately takes precedence. However, this is a bit of an XY problem, so some background first.

Apache has to serve a number of apps (one of which is WordPress), and these apps generally require authorisation. This means that there's a <location /> section with a Require valid-user, which may be modified at lower levels. WordPress is installed in sub-directory dir under DocumentRoot, and generally doesn't require authorisation (this is what the PUBLIC define is for). The WordPress site appears at the site root, and this is handled by a rewrite. The toy config below handles this general case, and is complete, and works for serving one file (index.html in subdirectory dir). The file is served directly if Define PUBLIC is commented out, but authorisation is required otherwise:

Define PUBLIC

<VirtualHost *:80>
  DocumentRoot /var/www4
  <Location />
    AuthType Basic
    AuthName Test
    AuthBasicProvider file
    AuthUserFile "/var/www4/passwords"
    Require  valid-user
  </Location>

  <Directory /var/www4/dir>
    <IfDefine PUBLIC>
      <If true>
        Require all granted
      </If>
    </IfDefine>
  </Directory>

  RewriteEngine On
  RewriteRule ^(/)?$ /dir/index.html [L]
</VirtualHost>

So far, so good. The problem is that WordPress insists on occasionally writing its own .htaccess in DocumentRoot (and not in its installation directory, for some reason). The important part of this WP .htaccess is exactly the RewriteRule above. However, when I load http://localhost/, Apache processes the .htaccess rewrite in some phase where both the Require all granted and the configuration file rewrite are skipped or ignored, and the end result is that the user must log in to get to index.html, so it's no longer public.

I can stop WordPress doing this (by making the .htaccess unwriteable, for example, but that may just confuse the actual WordPress user). However, if possible, I'd prefer some way to modify the config so that it takes precedence over the .htaccess, without modifying the .htaccess. Is this possible?

The rewrite phases are documented here, but there doesn't seem to be enough detail to answer this. Note that using <Location /dir> instead of <Directory /var/www4/dir> makes no difference here, and the <If true> is a hack to modfiy the section merge order.

Improve this question
4
  • So if you are using http://localhost/ to access this WordPress instance, then how are you accessing these other apps, that the system also has to serve? Commented Jul 16 at 12:30
  • "The problem is that WordPress insists on occasionally writing its own .htaccess in DocumentRoot (and not in its installation directory, for some reason)" - you accessed the WP site via http://localhost/, so it needs to put its .htaccess in there - otherwise, how would the routing work, when you request http://localhost/some-wp-page? If the .htaccess was located in /dir/, then the requested URL http://localhost/some-wp-page would not even trigger that .htaccess to get evaluated in the first place. Commented Jul 16 at 12:34
  • @C3roe: the other apps are all explicitly named, and are on reverse proxies, aliases, and in named directories; none of them appear at the top level. On the location of the .htaccess - all WP accesses will get routed to/through the installation dir (dir here), so surely a single .htaccess there is sufficient? Commented Jul 16 at 13:18
  • "so surely a single .htaccess there is sufficient?" - sufficient to achieve what you want - yes. But WordPress probably doesn't "know" about the fact, that you already took care of this "routing into /dir/" on the server level, and therefor still assumes, it would have to take care of that itself - hence it writes the .htaccess in the doc root. Commented Jul 16 at 13:42

1 Answer 1

Reset to default
0

I've done some more testing, and confirmed that:

  1. If the rewrite rule is only in the .htaccess, then it bypasses authorisation. This is true even if the rule does an authorisation look-ahead (see, for example, this SO question)

  2. If the rewrite rule is only in the Apache conf, then authorisation is carried out as expected, and a login is or is not requested depending on the state of PUBLIC

  3. If the rewrite rule is in both the .htaccess and the Apache conf, in a VirtualHost context, then authorisation is carried out as expected.

So, I think the basic premise of the question was wrong. From the point of view of rewrite rules, the config file takes precedence over the .htaccess, and can potentially fix issues in it.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.