Basic authentication failing with mod-proxy-fcgi and php7.0-fpm


Ubuntu 16.04 LTS running on AWS instance.
Apache 2.4.18 / PHP7.0-fpm

Problem is with basic-auth. I'm trying to pw-protect /var/www/html/admin//. I find that all non-php files are protected – but .php files seem to go straight to proxy without applying basic-auth and asking for username/password.

I've tried inserting the auth directives in .conf and .htaccess. I've tried with Directory and Location tags with no luck. I did read that proxy-fcgi didnt pass auth headers and a suggestion to force these with

SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1

But that didn't help (and my problem isnt really in passing the creds – it's in getting them asked in the first place.

Here's the proxy directive:

ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://localhost:9000/var/www/html/

I've tried expressing the basic auth in a few ways… but here's one:

    <Directory ~ "/var/www/[^/]+/[^/]+/admin/">
        AuthType Basic
        AuthName "Restricted Content"
        AuthUserFile /etc/apache2/.htpasswd
        Require valid-user

Other things I've tried with no luck:

  • rewrite auth header ensure proper permissions on .htpasswds
    • change from auth basic to 'deny from all'. It still allows .php files

Best Answer

I found the solution after searching a little deeper. Thanks to an answer by Yash on this panel. According to him, the problem is that the proxypass directive has priority over the auth directive and sends the .php to the proxy before credentials are needed. The fix is to setHandler in a filesMatch directive. This worked as expected. (note i tweaked the directorymatch directive to - but this is irrelevant to the core question).

<DirectoryMatch "/var/www/html/(admin|.+test)">
        AuthType Basic
        AuthName "Restricted Content"
        AuthUserFile /etc/apache2/.htpasswd
        Require valid-user

<Proxy "fcgi://localhost:9000/" enablereuse=on max=10>

<FilesMatch \.php$>
    SetHandler "proxy:fcgi://localhost:9000"