Apache “filesmatch” directive in htaccess not matching as expected

.htaccess

I have a filesmatch directive in my .htaccess file:

<filesMatch "admin">
    AuthUserFile /var/www/html/.htpasswd
    AuthType Basic
    AuthName "Protected Area"
    require valid-user
</filesMatch>

It matches http://www.website.com/admin (and sub-pages such as /admin/edit_page)

But not http://www.website.com/index.php/admin

(I also have a mod_rewrite rule to hide the index.php from most of the website, don't know if this conflicts).

The mod rewrite rule:

<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteBase /

 #Removes access to the system folder by users.
 #Additionally this will allow you to create a System.php controller,
 #previously this would not have been possible.
 #'system' can be replaced if you have renamed your system folder.
 RewriteCond %{REQUEST_URI} ^system.*
 RewriteRule ^(.*)$ /index.php?/$1 [L]

 #Checks to see if the user is attempting to access a valid file,
 #such as an image or css document, if this isn't true it sends the
 #request to index.php
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule ^(.*)$ index.php?/$1 [L]
</IfModule>

Best Answer

FilesMatch matches physical filesystem objects. index.php/admin is not one of those.

Related Solutions

Apache Limit directive not working as expected

This is a little tough without seeing more of your config.. Since the Satisfy fixed it, I'm guessing there's a Require applying to this location. The Satisfy any directive makes it so that matching either the Allow (with your source host) or the Require (with your user) will allow access.

Using a hostname with Allow is an initial suspect; it depends on forward and reverse DNS being flawless for the client. I'm a little unclear on what you mean by "from only certain sites"; you need for the Allow directive to be inclusive of all allowed client systems. If all of their forward and reverse DNS doesn't match exactly to what you've specified, then that'd break it.

Also, your use of <Limit> depends on there being a Deny from all outside the block to restrict other methods.. so if the Order is set to Allow,Deny, that'll break it. <LimitExcept> is better when possible, since you can be more explicit about blocking unwanted methods; <Limit> risks unintended access from higher up.

I'm gonna define stuff explicitly that you probably have elsewhere, but I want to make sure that something from elsewhere can't break it (except a Deny; make sure there's no extra of those higher up..):

Order Allow,Deny
# allowed subnet
Allow from 10.5.1.0/24
# allowed host
Allow from 86.12.76.12

AuthType Basic
AuthName "blah"
AuthUserFile /path/to/htpasswd
Require valid-user

Satisfy all

<LimitExcept GET POST>
    Deny from all
</LimitExcept>

Htaccess filesMatch exclusion

You've got a few capitalization errors in your config:

<filesMatch "\.(gif|jpe?g|png|js|css|swf|php|ico|txt|pdf|xml|html?)$">
 ^
 should be <FilesMatch ...

    <ifModule mod_headers.c>
     ^
     should be <IfModule...

    </ifModule>
      ^ 
      should be </IfModule>
</filesMatch>
  ^
  should be </FilesMatch>

Also, if you've got VirtualHosts, you need to make sure that you've got AllowOverride correctly configured

Related Topic