Password Protecting Admin CP with ModRewrite?

Jaxel

Well-known member
this is the htaccess ModRewrite that comes with Xenforo:
Code:
<IfModule mod_rewrite.c>
	RewriteEngine On

	RewriteCond %{REQUEST_FILENAME} -f [OR]
	RewriteCond %{REQUEST_FILENAME} -l [OR]
	RewriteCond %{REQUEST_FILENAME} -d
	RewriteRule ^.*$ - [NC,L]
	RewriteRule ^(data|js|styles|install) - [NC,L]
	RewriteRule ^.*$ index.php [NC,L]
</IfModule>

this rewrite code is incompatible with basic http auth methods:
Code:
<Files admin.php>
	AuthUserFile ../.htpasswd
	AuthType Basic
	AuthName "Admin Control Panel"
	Require valid-user
</Files>

instead of passwording the admin cp, it will kill the admincp completely. If you remove the modrewrite section it works fine... but the two dont seem to work together.
 
I have password protection on my admin.php and it works fine

Are you placing it before the rewrite rules?

Code:
<Files admin.php>
AuthType Basic
AuthName "ACP"
AuthUserFile "<path to file>"
Require valid-user
</Files>
 
I've tried it both before and after... this is my htaccess:
Code:
## Expires
<IfModule mod_expires.c>
	ExpiresActive On
	ExpiresDefault "access plus 1 seconds"
	ExpiresByType text/html "access plus 1 seconds"
	ExpiresByType image/gif "access plus 3456000 seconds"
	ExpiresByType image/jpeg "access plus 3456000 seconds"
	ExpiresByType image/png "access plus 3456000 seconds"
	ExpiresByType text/css "access plus 3456000 seconds"
	ExpiresByType text/javascript "access plus 3456000 seconds"
	ExpiresByType application/javascript "access plus 3456000 seconds"
	ExpiresByType application/x-javascript "access plus 3456000 seconds"
</IfModule>

## Compression
<IfModule mod_headers.c>
	<IfModule mod_deflate.c>
		AddOutputFilterByType DEFLATE text/html text/css text/xml application/x-javascript
		BrowserMatch ^Mozilla/4 gzip-only-text/html
		BrowserMatch ^Mozilla/4\.0[678] no-gzip
		BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
	</IfModule>
</IfModule>

## Rewrites
<IfModule mod_rewrite.c>
	RewriteEngine On

	RewriteCond %{REQUEST_FILENAME} -f [OR]
	RewriteCond %{REQUEST_FILENAME} -l [OR]
	RewriteCond %{REQUEST_FILENAME} -d
	RewriteRule ^.*$ - [NC,L]
	RewriteRule ^(data|js|styles|install) - [NC,L]
	RewriteRule ^.*$ index.php [NC,L]
</IfModule>

## Authorization
<Files admin.php>
	AuthUserFile <path>
	AuthType Basic
	AuthName "8WayRun Admin Control Panel"
	Require valid-user
</Files>

The odd part is, if I change it to <Files index.php>, it does properly password the index.php file. It just doesn't password protect the admin file.
 
Still have yet to solve this problem...

It appears to be a login problem with XenForo itself. If I have the htpasswd protection on, I can't access admin.php. But if I disable the password protection, then login to the admin.php, then re-enable the password protection, then it works fine. I just doesnt work if I'm not already logged in.
 
I'm not sure why it isn't working.
I have IP and password protection and it works fine.
This is my .htaccess, with some details changed for privacy reasons:

Code:
Order Deny,Allow
Deny from all
Allow from 75.45.123.45

RewriteEngine on

<Files admin.php>
AuthType Basic
AuthName "ACP"
AuthUserFile "/home/mydomain/passwd"
Require valid-user
</Files>

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^(data|js|styles|install) - [NC,L]
RewriteRule ^.*$ index.php [NC,L]
</IfModule>
 
Top Bottom