Htpasswd protection blocks panel login

During development, I would like to protect my site with htacces / htpasswd. Helpers should be able to look at it and give feedback, but not be found by Google or someone else. So I thought of providing the page with the usual HTACCESS / HTPASSWD protection. When I do this and want to open the panel, I immediately get the message: The user “preview” cannot be found.
I don’t get a login window or anything like that.

In order to help I fear you have to provide more details, at least the .htaccess you are using now and - even better - your server/virtual host configuration.

Which webserver and version are you using?
Kirby and PHP version?

It is a web hosting package at Hetzner. It should be Apache2.4.X, unfortunately I cannot see the configuration. PHP is the current 7.4. As .htaccess I have taken the standard variant, extended by the Auth. it’s also the latest Kirby version


AuthType Basic
AuthName "Authentication required
AuthUserFile "/usr/www/users/abcdefg/shared/.htpasswd"
Require valid-user


# Kirby .htaccess
# revision 2020-06-15

# rewrite rules
<IfModule mod_rewrite.c>

# enable awesome urls. i.e.:
# http://yourdomain.com/about-us/team
RewriteEngine on

# make sure to set the RewriteBase correctly
# if you are running the site in a subfolder;
# otherwise links or the entire site will break.
#
# If your homepage is http://yourdomain.com/mysite,
# set the RewriteBase to:
#
# RewriteBase /mysite

# In some environments it's necessary to
# set the RewriteBase to:
#
# RewriteBase /

# block files and folders beginning with a dot, such as .git
# except for the .well-known folder, which is used for Let's Encrypt and security.txt
RewriteRule (^|/)\.(?!well-known\/) index.php [L]

# block all files in the content folder from being accessed directly
RewriteRule ^content/(.*) index.php [L]

# block all files in the site folder from being accessed directly
RewriteRule ^site/(.*) index.php [L]

# block direct access to Kirby and the Panel sources
RewriteRule ^kirby/(.*) index.php [L]

# make site links work
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*) index.php [L]

</IfModule>

# pass the Authorization header to PHP
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

# compress text file responses
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE application/json
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
</IfModule>

I assume the missing " is only copy & paste error. Nevertheless you should see the basic auth popup. If the placement of your .htaccess is correct and is read at all, the most plausible explanation is that your provider does not allow setting authentication directives here.

I have expressed myself wrongly. The basic auth popup also appears, but when I then want to log into the panel, I get the message:
The user “preview” cannot be found.

If I create the user “test” in the htaccess and “log in” with it via httacces, the following message appears

The user “test” cannot be found.

And again I can’t log into the panel.

To get this right:

  1. You can successfully log in with basic auth. So that part works as expected.
  2. You then navigate to the Panel login screen, enter your Kirby credentials in the dialog but login fails with the error message "The user “preview” cannot be found.

Did you perhaps set 'api' => ['basicAuth' => true] in the config.php? Then the panel tries to log you in with the basic auth credentials - which won’t work if the credentials does not match.

thanks. this was my problem!