问题
I have a site which redirects all requests for files/folders which don't exist to an index file using .htaccess:
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule !admin/* index.php [NC,L]
There is a folder "admin/" which has the following in .htaccess for auth:
AuthType Basic
AuthName "admin"
AuthUserFile "/path/to/passwd"
require valid-user
Adding the auth .htaccess file in "admin/" causes the request to be trapped by mod-rewrite instead of providing the authentication response. I've tried a few different things trying to work around this (including this: htaccess rewrite and auth conflict), but couldn't get any purchase.
Thanks.
EDIT: If I'm already authenticated, the rewrite rule works allowing me to access the "admin/" folder. So it seems that it's the authentication challenge that's doing something wonky.
回答1:
I had this same question, and I also found this related question: htaccess rewrite and auth conflict
One of the answers there clued me into my problem. Apache was trying to find a document for the 401 error and failing. I added a document /401.html and added this to the .htaccess file with the Auth statements.
ErrorDocument 401 /401.html
Now, it works for me!
回答2:
If none of above works for your scenario, Basic Authentication can also be done using php script
<?php
session_start();
if (isset($_SESSION['newlogin'])) {
unset($_SESSION['newlogin']);
unset($_SESSION['loggedout']);
};
$valid_passwords = array ("admin" => "mypass");
$valid_apasswords = array ("admin" => "mypass");
$valid_users = array_keys($valid_passwords);
$valid_admin = array_keys($valid_apasswords);
$user = $_SERVER['PHP_AUTH_USER'];
$pass = $_SERVER['PHP_AUTH_PW'];
$avalidated = (in_array($user, $valid_admin)) && ($pass == $valid_apasswords[$user]);
$uvalidated = (in_array($user, $valid_users)) && ($pass == $valid_passwords[$user]);
$validated = (($uvalidated == true) || ($avalidated == true)) ;
if (!$validated || isset($_SESSION['loggedout'])) {
$_SESSION['newlogin'] = true;
header('WWW-Authenticate: Basic realm="Login Area"');
header('HTTP/1.0 401 Unauthorized');
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>
<body>
<div id="messagebox">Authorisation Required.</div>
</body>
</html>
<?php
exit;
};
?>
回答3:
when you say you tried the solution from the other post, what did your code look like?
Something like this:
RewriteCond %{REQUEST_URI} !/admin/
I don't see why that wouldn't work.
回答4:
Let me suggest a simplified form for the rewriting rules:
RewriteCond %{REQUEST_FILENAME} !-s
RewriteCond %{REQUEST_FILENAME} !-l
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule !^admin/ index.php [NC,L]
This incorporates Matthew's suggestion of checking the path against /admin/ (in .htaccess files you omit the leading slash).
You might also need to use a
RewriteBase /
before the first RewriteCond line.
回答5:
If you gots mod_dir running on the server which adds prevailing forwardslashes/ when your rewrite rule conflicts with a folder such as mydomain/mypage/foldername the mod_dir slaps a forwardslash on the end of foldername/ as it is a real dir, if your rules specify in the htaccess to not follow indexes (Options -Indexes) and there is nothing in the folder then your rules will be ok, if there is something in the folder other than an index then expect this to happen to your url: mydomain/mypage/foldername/?request=mypage/foldername
As this is the default configuration of cPanel the issue is not your fault, it is a massive conflict in teh configuration that enables hackers to identify script requests and directory structures.
I do not have any solution if you are unable to disable multiviews in the http.conf of the server as most htacces solutions result in a redirect loop.
This is an unreported conflict/bug to cPanel so dont hold your breath for a solution, a workarround could be to nest your wntire project in a single folder and call pages internally.
来源:https://stackoverflow.com/questions/3144401/htaccess-mod-rewrite-conflicting-with-subfolder-auth