Apache ignores my .htaccess file. I've read more or less every thread about this issue I could find and tried all the solutions and nothing works. I've tried them more than once.

The setup

• Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-57-generic x86_64) on VPS
• Apache/2.4.18 (Ubuntu)
• Django 1.10 via WSGI
• Python 3.5 in virtualenv

I want to serve some files that should only be available via approved IP ranges or user login. I have a .htaccess file that I've previously used on a webhost with a php-based website, and now I want it to work on a VPS with a Django-based website.

The names of the directories below have been changed, but they should be faithful to the setup.

Location of files

.htaccess file inside /dir in a subdir, /dir/1/2/3.

I want it to apply settings to every subdir in that subdir, e.g. /dir/1/2/3/a, /dir/1/2/3/b, /dir/1/2/3/c. These dirs have files that should be protected access (e.g. /dir/1/2/3/a/file.pdf).This should be done via .htaccess, not server-wide settings because the list of acceptable IPs is very long and I rather not have it bloat my apache config files.

.htaccess file

Most of the content is redacted for privacy reasons, but it follows this template.

# initial deny
<Limit GET POST>
order deny,allow
deny from all

# SUBSCRIBER LIST
#a very long list that follows this pattern or with CIDR ranges
allow from 1.2.3.4

# other settings
# users
require user someuser

satisfy any
</Limit>

# authtype
AuthType Basic
AuthName "Available only for subscribers."
require valid-user
AuthUserFile "/dir/passwd"

The passwd file has the necessary permissions as well.

Apache config

Default config file: /etc/apache2/sites-available/000-default.conf
Has a number of other settings that work fine e.g. related to WSGI. Adding nonsense to test this results in apache error as expected.

Directive to enable .htaccess:

<Directory /dir>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
</Directory>

Also tried:

<Directory /dir>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    Allow from all
</Directory>

Tried a number of other variations. None of them make any difference. I restart between any changes.

I've verified that this directory is spelled correctly.

sites-enabled vs. sites-available

Someplace I read that one must edit the sites-enabled config file, not the sites-available one. These are the same files, the enabled one just links to the sites-available one.

a2enmod

Is enabled:

user@server:dir$ sudo a2enmod rewrite
Module rewrite already enabled

Permissions

chown is server's user: www-data.

chmod. I tried a number of settings: a+x, u+x, 777, many others, more than once.

Permissions are as of writing:

-rwxrwxrwx  1 www-data www-data 11135 Apr  5 14:47 .htaccess

DocumentRoot

According to this accepted answer, the .htaccess file must be in the DocumentRoot or a subdir of that. I changed the DocumentRoot to point to /dir. No effect.

Main apache settings: /etc/apache2/apache2.conf

Instead of editing the virtualhosts config, one can edit the main apache settings file.

This file has some more Directory directives. One of these is:

<Directory />
        Options FollowSymLinks
        AllowOverride None
        Require all denied
</Directory>

I assume that any deeper directive will overwrite a higher one, but I saw some people say this isn't so. I tried setting this one to AllowOverride All as well. No effect. In fact I tried setting all the Directory directives to that, including the irrelevant ones (relating to other directories e.g. /var/www which is not used).

AccessFileName .htaccess

This setting is unchanged from default and is as it should.

Logs

There are no errors or anything of relevance in either the error log or the access log.

Nonsense test

To determine whether apache is even reading the file, I tried adding deliberate syntax error into .htaccess. No server error, so server must be ignoring the file completely.

—

I cannot find anything more to try.