• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Password Protecting Admin CP with ModRewrite?

Jaxel

Well-known member
#1
this is the htaccess ModRewrite that comes with Xenforo:
Code:
<IfModule mod_rewrite.c>
	RewriteEngine On

	RewriteCond %{REQUEST_FILENAME} -f [OR]
	RewriteCond %{REQUEST_FILENAME} -l [OR]
	RewriteCond %{REQUEST_FILENAME} -d
	RewriteRule ^.*$ - [NC,L]
	RewriteRule ^(data|js|styles|install) - [NC,L]
	RewriteRule ^.*$ index.php [NC,L]
</IfModule>
this rewrite code is incompatible with basic http auth methods:
Code:
<Files admin.php>
	AuthUserFile ../.htpasswd
	AuthType Basic
	AuthName "Admin Control Panel"
	Require valid-user
</Files>
instead of passwording the admin cp, it will kill the admincp completely. If you remove the modrewrite section it works fine... but the two dont seem to work together.
 

Brogan

XenForo moderator
Staff member
#2
I have password protection on my admin.php and it works fine

Are you placing it before the rewrite rules?

Code:
<Files admin.php>
AuthType Basic
AuthName "ACP"
AuthUserFile "<path to file>"
Require valid-user
</Files>
 

Jaxel

Well-known member
#3
I've tried it both before and after... this is my htaccess:
Code:
## Expires
<IfModule mod_expires.c>
	ExpiresActive On
	ExpiresDefault "access plus 1 seconds"
	ExpiresByType text/html "access plus 1 seconds"
	ExpiresByType image/gif "access plus 3456000 seconds"
	ExpiresByType image/jpeg "access plus 3456000 seconds"
	ExpiresByType image/png "access plus 3456000 seconds"
	ExpiresByType text/css "access plus 3456000 seconds"
	ExpiresByType text/javascript "access plus 3456000 seconds"
	ExpiresByType application/javascript "access plus 3456000 seconds"
	ExpiresByType application/x-javascript "access plus 3456000 seconds"
</IfModule>

## Compression
<IfModule mod_headers.c>
	<IfModule mod_deflate.c>
		AddOutputFilterByType DEFLATE text/html text/css text/xml application/x-javascript
		BrowserMatch ^Mozilla/4 gzip-only-text/html
		BrowserMatch ^Mozilla/4\.0[678] no-gzip
		BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
	</IfModule>
</IfModule>

## Rewrites
<IfModule mod_rewrite.c>
	RewriteEngine On

	RewriteCond %{REQUEST_FILENAME} -f [OR]
	RewriteCond %{REQUEST_FILENAME} -l [OR]
	RewriteCond %{REQUEST_FILENAME} -d
	RewriteRule ^.*$ - [NC,L]
	RewriteRule ^(data|js|styles|install) - [NC,L]
	RewriteRule ^.*$ index.php [NC,L]
</IfModule>

## Authorization
<Files admin.php>
	AuthUserFile <path>
	AuthType Basic
	AuthName "8WayRun Admin Control Panel"
	Require valid-user
</Files>
The odd part is, if I change it to <Files index.php>, it does properly password the index.php file. It just doesn't password protect the admin file.
 

Jaxel

Well-known member
#5
Still have yet to solve this problem...

It appears to be a login problem with XenForo itself. If I have the htpasswd protection on, I can't access admin.php. But if I disable the password protection, then login to the admin.php, then re-enable the password protection, then it works fine. I just doesnt work if I'm not already logged in.
 

Brogan

XenForo moderator
Staff member
#7
I'm not sure why it isn't working.
I have IP and password protection and it works fine.
This is my .htaccess, with some details changed for privacy reasons:

Code:
Order Deny,Allow
Deny from all
Allow from 75.45.123.45

RewriteEngine on

<Files admin.php>
AuthType Basic
AuthName "ACP"
AuthUserFile "/home/mydomain/passwd"
Require valid-user
</Files>

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^(data|js|styles|install) - [NC,L]
RewriteRule ^.*$ index.php [NC,L]
</IfModule>