Kirby's .htaccess is messing with my .htpasswd

1n3JgKl9pQ6cUMrW · October 10, 2016, 3:32pm

The rewrite rule in Kirby’s .htaccess is interfering with a .htpasswd file.

Setup;

/my-kirby-site/
/my-kirby-site/piwik/
/my-kirby-site/mibew/

The site is located in the first folder. The other two folders are subfolders of the Kirby site and contain an open source analytics tool and an open source chat tool (customer support).

In the root of the Kirby site, I’ve placed the default .htaccess file, which contains those lines (and more, of course);

# make site links work
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*) index.php [L]

In my Piwik and Mibew folders, I’ve placed another .htaccess file which contains those lines - in order to protect the folders from direct access;

<FilesMatch "whatever-login-for-both-mibew-and-piwik">
  AuthType Basic
  AuthName "That you 007? Identify yourself..."
  AuthUserFile "/home/public_html/.htpasswd"
  require valid-user
</FilesMatch>

But when I try to open the login address for Mibew / Piwik, I got a 500 error - file not found.

The file in this case is the .htpasswd which can not be found (but it’s there, 100%).

When I delete this line (temporarily) from Kirby’s .htaccess the .htpasswd is found (and protecting the subfolders);

# make site links work
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
# RewriteRule ^(.*) index.php [L]

(of course Kirby is not working any longer).

So it seems the rewrite rule is also rewriting the location of the .htpasswd, resulting in a 500 - not found on this server error.

I tried to disable those particular subfolders from Kirby’s .htaccess, placing a wildcard in the rewriterule, so .htpasswd is not rewritten, turning of the rewrite engine for those folders at all, etc… but nothing worked.

Is it possible to exclude some folders / files from the RewriteRule ^(.*) index.php [L] rule, so I can protect some subfolders with a .htpasswd ?

texnixe · October 10, 2016, 3:42pm

Why did you put the Piwik and Mibew folders inside the Kirby project folder?

1n3JgKl9pQ6cUMrW · October 10, 2016, 5:19pm

I did not place the Piwik / Mibew folders in the project folder.

Kirby is placed in the root of the server, Mibew and Piwik also…

So both Mibew and Piwik are on the same level as the Kirby folders…

The screenshot is not 100% correct, but it’s something like this;

[root]/ (all Kirby files - also .htaccess)
[root]/ Piwik-Files
[root]/ Mibew-Files

So the .htaccess in the root also re-writes all the files in piwik and mibew (and owa - Open Web Analytics for real time tracking of mouse-cursors).

texnixe · October 10, 2016, 5:30pm

I’m not really great with RewriteRules, but two suggestions:

try to put the .htpasswd file one level up
put Kirby into its own subfolder

1n3JgKl9pQ6cUMrW · October 10, 2016, 5:57pm

Me neither

The .htpasswd file is already placed in the absolute root of the server (outside the public_html space - which is saver), so it can not put up any higher.

I tried all the rewrite-rules / tips / tricks I could find at StackOverflow but none of them did work;

Kirby get “rewriting” the path for the .htpasswd file.

Can I put Kirby in a subfolder, while the site itself is in the root of the server?

Like this;

/"root"/
/"root"/kirby-folder
/"root"/kirby-folder/"all-kirby-files-and-subfolders/"

So the URL of the site (and pages) are nót showing kirby-folder in the address-bar?

Kirby has to navigate one level up, if I solve it like this…

texnixe · October 10, 2016, 6:09pm

On shared hosting, I usually put the complete Kirby project into its own subfolder, and then point the domain to that subfolder, so that the subfolder does not show up in the URL.

It just surprises me that the .htpasswd file should be affected by an .htaccess rule one level down … and you look for your .htpasswd file in the public_html folder?

AuthUserFile "/home/public_html/.htpasswd"

So if your file is really one level up, this path is not correct.

1n3JgKl9pQ6cUMrW · October 10, 2016, 7:22pm

Hmmm… may be there is some miscommunication - sorry for that

/root/.htpasswd
/root/public_html/kirby-folder/
/root/public_html/kirby-folder/.htaccess
/root/public_html/kirby-folder/piwik/
/root/public_html/kirby-folder/piwik/.htaccess

As you can see, the .htpasswd is placed outside the public_html folder - which is more safe (making it not accessible from the browser or guest-ftp).

In public_html I have a folder, which contains the default Kirby installation (folders and files).

Kirby places a .htaccess file in the root of it’s own installation folder.

That file contains some rewrite rules, which affects all folders and files lower than Kirby’s root.

So the subfolder piwik it also affected. And piwik contains it’s own .htaccess file, which has a reference to the .htpasswd file outside the public_html folder.

But Kirby is “rewriting” that location, so it’s not working; the server is not pointing to the .htpasswd in /root/ but tries to fetch the “rewritten” location, caused by Kirby’s .htaccess.

Of course I can move all piwik files outside Kirby’s folder - but that messes up the root of my server, which contains more than one website :’(

texnixe · October 10, 2016, 7:34pm

Well, all I can say is that the path to your .htpasswd file in your .htaccess file in the Piwik etc. folders does not seem to be correct if the file is located above the public_html level. Also, Kirby’s .htaccess should not affect a file that is located above its folder level.

But then again, your descriptions of your folder setup are a bit contradictory from one post to the next, aren’t they?

1n3JgKl9pQ6cUMrW · October 10, 2016, 8:21pm

Hmmm… sorry for the miscommunication.

But the path to the .htpasswd file is 100% absolutely correct.

It works great, when I disable Kirbys rewrite rules.

This is what’s happening;

Kirby has a .htaccess file, telling the server to rewrite all files to the one Kirby likes (so the links do work).

In the root of the server, both Kirby and Piwik are installed.

Piwik is located in a folder, called piwik and that folder also contains a .htaccess file.

This particular file, has a symlink to the correct .htpasswd file, located outside the public_html (or elsewhere; that doesn’t matter).

Now Kirby is also affecting the symlink in the .htaccess file, located in the piwik folder.

So once trying to login to piwik, the .htaccess in the piwik folder is triggered and is trying to server the (correct) .htpasswd file it is mentioning.

But because that particular path is affected by Kirbys .htaccess as well, the file is never found.

Once I disable the rewrite rule in Kirbys .htaccess, the .htpasswd file is located at once and showing the right protection.

In effect, you can never .htaccess protect a folder located at the same level as the Kirby installation, or lower - because all references to all .htpasswd files are corrupted by the main .htaccess file of Kirby it self.

I hope someone can understand what I am saying

texnixe · October 11, 2016, 10:44am

I think if you use a structure like this:

- public_html
  -- kirby project folder
  -- piwik folder
  -- mibew
  -- some other project

You should not run into this problem.

1n3JgKl9pQ6cUMrW · October 11, 2016, 1:33pm

I know I should not run into it - but I did.

This is what happened;

http://mysite.com/
http://mysite.com/piwik/

The first is the default address of the Kirby site.

The second one, is the Piwik installation - one folder “deeper” in the servers root.

When I navigate to piwik, Kirby thinks I want to open the “page” piwik (which isn’t there, because it’s a valid DIR - not a Kirby pretty-url).

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*) index.php [L]

The code above is causing the error; -f / -d says that files / directory that does not exist, must be parsed by the index.php set by Kirby… resulting in a 404 error when I try to open the Piwik login-form (protected by a .htpasswd).

Searching the web, gives a lot of similar problems - all with other CMS’es, for example this one;

http://serverfault.com/questions/410445/excluding-a-directory-from-a-root-htaccess-rewrite-rule-to-allow-it-to-be-passw

Finally, I was able to solve the issue with this extra line of code;

# Kirby .htaccess

ErrorDocument 401 default

# rewrite rules

<IfModule mod_rewrite.c>
[...]

The 401 is now default, causing Kirby to serve a valid 401, not intercepted by Kirby, and allowing me to protect and enter the Piwik (and OWA / Mibew) folders.

http://stackoverflow.com/a/17406263

In the Piwik root folder, I placed this code - protecting the installation, while giving access to the piwik-tracker and opt-out file (which opens in an iFrame).

AuthUserFile /home/.htpasswd
AuthGroupFile /dev/null
AuthName "Are you there 007?"
AuthType Basic

<Files "*">
    Require valid-user
</Files>

<Files ~ "^piwik\.(js|php)|robots\.txt$">
    Allow from all
    Satisfy any
</Files>

Please notice the .htpasswd is still outside the public domain - which is much safer than placing it in the root of your site.

bnomei · December 19, 2017, 11:49am

you could also configure piwik as a subdomain, right? piwik.mysite.com. that should solve it as well.

Topic		Replies	Views
Kirby .htaccess on VPS Questions v2	13	3108	February 6, 2025
Very important security issue - most kirby website could be vulnerable to this attack Questions v2	14	3356	February 6, 2025
Can not find&open project folder in browser Questions v3	5	671	December 29, 2021
Panel problem because of .htaccess Questions v3	3	291	August 25, 2022
Setting up a staging site: How to include password-protection in Kirby's .htaccess Questions v2	3	1056	February 6, 2025

Kirby's .htaccess is messing with my .htpasswd

Related topics