Location Tag not working

[lawyercentral Profile]

Is there a reason that this setup, within the .htaccess file, would be causing the entire website to require authentication?

Code: Select all

<Location /page-url-here>
     AuthType basic
     AuthName "Protected Content"
     AuthBasicProvider file
     AuthUserFile c:\inetpub\users\.htpasswds
     Require valid-user
</Location>

I'm trying to require authentication for a single page (dynamically rewritten URL, not existing file), but nothing I've done has worked.

Thanks.

[lawyercentral Profile]

Similarly, when I try to use the httpd.conf file to secure the page, it does not work. I have tried this setup:

Code: Select all

<VirtualHost websiteurl.com:443 www.websiteurl.com:443 websiteurl.com:80 www.websiteurl.com:80>
   <Location page-url-here>
      AuthType Basic
      AuthName "Protected Content"
      AuthBasicProvider file
      AuthUserFile c:\inetpub\users\.htpasswds
      Require valid-user
   </Location>
</VirtualHost>

When I hit the secure page, it loads. Then I get the login prompt. When I cancel the prompt, I can view the page. There is not 401 header returned. Strangely, while the other pages on the website load properly, the homepage also asks for authentication, but just loads when the login is cancelled.

[lawyercentral Profile]

It looks like we've narrowed it down a little. It appears that once the URL has been rewritten for our CMS, the Location or LocationMatch tag no longer process it.

That is, once the Rewriterule handles the URL, taking it from being "/clean-nice-url" to being "code.php?pageID=clean-nice-url&" it doesn't get processed.

It also seems like we can't put the rewritten version into the location tag. Which is to say, this isn't working:

Code: Select all

<Location /code.php?pageID=clean-nice-url&>
      AuthType Basic
      AuthName "Protected Content"
      AuthBasicProvider file
      AuthUserFile c:\inetpub\users\.htpasswds
      Require valid-user
   </Location>


So... not sure if that sheds any more light on our situation. Any insight would be appreciated.

Thanks!

[Anton]

Hello,

I guess, the reason is that you can only use Location tag in httpd.conf and VirtualHost section but not in .htaccess:
http://www.helicontech.com/ape/doc/mod_core.htm

[lawyercentral Profile]

Thanks for getting back to me. That was the initial error, but as I explained in the second and third post, that's no longer the cause of the problem.

We are now working only in the httpd.conf file, within the VirtualHost section.

As I said in the my last post, the rules are working, but only for URLs that are not being rewritten. Once the rewriterule processes a URL, it is being ignored by the Location tag.

Is there a way that we can either get the Location tag to handle the "pretty" URL (/clean-nice-url) or get it to handle the rewritten version (code.php?pageID=clean-nice-url&), complete with URL params?

Thanks again for your time and help.

[lawyercentral Profile]

Okay, we managed to isolate the password to a single page, using the pretty version of the URL.

However, there is a new issue now. The password protected page is not loading when the correct login information is input.

Predictably, incorrect credentials keep the page locked, but when the actual username and password are entered, a blank white page loads. There are no more credential prompts for the session, but the page itself is just blank.

Here is our current version in the httpd.conf:

Code: Select all

<VirtualHost websiteurl.com www. websiteurl.com>
   <LocationMatch "/page-url-here">
      RewriteEngine on
      AuthType Basic
      AuthName "Protected Content"
      AuthBasicProvider file
      AuthUserFile c:\inetpub\users\.htpasswds
      Require valid-user
   </LocationMatch>
</VirtualHost>

The trick in resolving our first problem, it seems, was adding RewriteEngine on within the LocationMatch tag.

Any idea how we can get the protected page to load?

[Anton]

Hello,

Please specify the following things:
- do you have any other Ape rules? If yes, please show then as well
- do you have any other authentication enabled. It's better not to have anything other that Anonymous.
- also, please enable Failed request tracing tool in IIS and provide the logs (.xml and .xsl files) for the test request.

[lawyercentral Profile]

We have a number of other Ape rules in use:

Code: Select all

RewriteEngine On
RewriteBase

SetEnv siteurl http://www.thewebsiteurl.com

RewriteCond %{REQUEST_URI} [A-Z] [OR]
RewriteCond %{HTTP_HOST} [A-Z] [OR]
RewriteCond %{SERVER_PORT} 443 [OR]
RewriteCond %{HTTP_HOST} !^www\. [OR]
RewriteCond %{REQUEST_URI} /(.*)/$
RewriteRule ^(\/(.[^\/]+)+)|(\/) %{ENV:siteurl}$1 [U,CL,R=301,L,NS]

# Folders to ignore
RewriteRule ^/assets.* - [NC,L]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^/([^?]*)(.*) /webpage.php?pageidentifier=$1&%{QUERY_STRING} [I,U,NS]

#Block spambots
RewriteCond %{HTTP:User-Agent} (?:Baiduspider|YandexBot) [NC]
RewriteRule .? - [F]

We do not have any other type of authentication enabled.

With regard to the failed request tracing, I don't feel comfortable uploading that information on a publicly facing page. The status codes I am getting are first 401s, and then 404s. Is there any other specific information from it that you would like me to provide?

[Anton]

Hello,

"With regard to the failed request tracing, I don't feel comfortable uploading that information on a publicly facing page. The status codes I am getting are first 401s, and then 404s. Is there any other specific information from it that you would like me to provide?"
- I would like to see the entire Failed request log anyway.
Please send it to [email protected] with reference to this forum thread.