Ubuntu 16.04 LTS running on AWS instance.
Apache 2.4.18 / PHP7.0-fpm
Problem is with basic-auth. I'm trying to pw-protect /var/www/html/admin//. I find that all non-php files are protected – but .php files seem to go straight to proxy without applying basic-auth and asking for username/password.
I've tried inserting the auth directives in .conf and .htaccess. I've tried with Directory and Location tags with no luck. I did read that proxy-fcgi didnt pass auth headers and a suggestion to force these with
SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1
But that didn't help (and my problem isnt really in passing the creds – it's in getting them asked in the first place.
Here's the proxy directive:
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://localhost:9000/var/www/html/
I've tried expressing the basic auth in a few ways… but here's one:
<Directory ~ "/var/www/[^/]+/[^/]+/admin/"> AuthType Basic AuthName "Restricted Content" AuthUserFile /etc/apache2/.htpasswd Require valid-user </Directory>
Other things I've tried with no luck:
- rewrite auth header ensure proper permissions on .htpasswds
- change from auth basic to 'deny from all'. It still allows .php files