OSTicket has three .htaccess files in its folders, so should I change that to
AllowOverride All
?

If it's your own server, you can take the content of the htaccess file(s) and shift it to the appropriate directory sections in your config file.

That being said... if this is a brand-new server, or a substantially new setup, you might want to AllowOverrides temporarily so you can experiment with changes without having to restart the server every five minutes. Once everything is running the way you like it, turn off Overrides and shift everything into <Directory> sections. At this point it probably does no harm to leave the .htaccess files in place, since the server will never even look for them. Just make sure you continue to deny access to anything in .ht -- your server's default config file may already include the appropriate <Files> section.

The material has to be accessible in some way, whether by relocating it or by setting AllowOverrides. If you feel up to it, see exactly what's in those htaccess files and set AllowOverrides for only those mods that are actually used. Most likely FileInfo if there's any mod_rewrite activity; also AuthConfig if there are authorizations involved. You probably don't need Limit or Indexes, let alone Options.

welcome back to WebmasterWorld, SissyandAda!


for which request did the password popup appear?
perhaps you are referring to other resources in the scp subdirectory such as images or css.
try using a tool such as the Live HTTP Headers firefox plugin to see which request gets a 401 status code.

Hi Lucy, I took the three .htaccess files from the OSTicket installation, and created the following new entries at the end of my httpd.conf file:

<Directory /var/www/mysite/support/api>
<IfModule mod_rewrite.c>

RewriteEngine On

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} (.*/api)

RewriteRule ^(.*)$ %1/http.php/$1 [L]

</IfModule>
</Directory>


<Directory /var/www/mysite/support/include>
Deny from all
</Directory>

<Directory /var/www/mysite/support/pages>
<IfModule mod_rewrite.c>

RewriteEngine On

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} (.*/pages)

RewriteRule ^(.*)$ %1/index.php/$1 [L]

</IfModule>
</Directory>


The website is in /var/www/mysite/
and the OSTicket installation is in
/var/www/mysite/support

Hi Phranque, many thanks for your advice, I used Live HTTP Headers, and found what is the cause of the problem, near the end of the list of http requests:

----------------------------------------------------------
http://www.example.com/support/scp/js/bootstrap-typeahead.js?bba9ccc

GET /support/scp/js/bootstrap-typeahead.js?bba9ccc HTTP/1.1
Host: www.Example.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://www.example.com/support/
Cookie: OSTSESSID=3083oms3ikt9vcjuhiv5nefd33
Connection: keep-alive
If-Modified-Since: Tue, 21 Oct 2014 19:53:57 GMT
If-None-Match: "305bc5f-1ef4-505f4311ef233"

HTTP/1.1 401 Authorization Required
Date: Sat, 25 Oct 2014 12:27:32 GMT
Server: Apache/2.2.15 (CentOS)
WWW-Authenticate: Basic realm="Restricted Area"
Content-Length: 491
Connection: close
Content-Type: text/html; charset=iso-8859-1
----------------------------------------------------------

So when I go to www.Example.com/support, OSTicket asks for
http://www.example.com/support/scp/js/bootstrap-typeahead.js?bba9ccc
which is contained in my protected folder. This seems rather strange to me, because surely you're supposed to password protect admin folders, and thus the problem I am having would happen to anybody else who password protects the /support/scp folder.
I've asked about it on the OSTicket forum, hopefully they can tell me how to prevent it from trying to load this file. (I will have a look in the /support/index.php file to see if I can work it out, but I know very little php, so I may not be able to find it.)

[edited by: Ocean10000 at 5:50 pm (utc) on Oct 25, 2014]
[edit reason] Examplified [/edit]

Hi phranque, I've fixed it!

In the OSTicket installation, in /include/staff/header.inc.php there is the code:

<script type="text/javascript" src="./js/bootstrap-typeahead.js?bba9ccc"></script>

and in /include/client/header.inc.php there is:
<link rel="stylesheet" href="<?php echo ROOT_PATH; ?>scp/css/typeahead.css"
<script src="<?php echo ROOT_PATH; ?>scp/js/bootstrap-typeahead.js?bba9ccc"></script>

So the client header.inc.php tries to load bootstrap-typeahead.js from the /scp/js folder, and typeahead.css from the /scp/css folder, as shown above.

I've temporarily commented out both of those lines (21 and 32) and now the problem has gone, but presumably I shouldn't have to do that, but I've asked on the OSTicket forum, and maybe they can help. I don't think I need the ability to type ahead, whatever that is, anyway! (It isn't live chat, it's a support ticket system). It appears to be working fine with those two lines commented out.

Many thanks to both of you for your help!

You have to use the exact domain name "example.com" -- or example dot anything if you need more than one -- to prevent auto-linking. Someone will come along and fix it. phranque, probably. He's got the requisite superpowers.

(Edit: Whoops, no, it was Ocean10000. Came along while I was typing ;))

But as long as we're here...

Get rid of the "IfModule" envelopes. Not their content! Just the envelope itself. You either have mod_rewrite or you don't. And if you didn't, you wouldn't be able to run the CMS in the first place. And I don't think you need to repeat "RewriteEngine on", though it will do no harm.

<Directory /var/www/example/support/api>
<Directory /var/www/example/support/pages>

Does this mean that there are other directories in
/var/www/example/support
that are not password-protected? Otherwise you'd just make the rule once for the whole directory.

<Directory /var/www/example/support/include>
Deny from all
</Directory>

What's the directory for, if nobody is allowed to go there? "Deny from all" includes subrequests (normally what you'd expect in a directory called "include"). Is there only non-HTTP material here? For consistency's sake, any allow/deny directives should begin with an "Order" line just so you know where you are. Then it won't matter if you later decide to change the ordering for the parent directory.

Hi lucy24, I didn't quite understand your first sentence above. Where do I need to have the exact domain name?

I followed your instructions, so now I have:

<Directory /var/www/example/support/api>

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} (.*/api)

RewriteRule ^(.*)$ %1/http.php/$1 [L]

</Directory>


<Directory /var/www/example/support/include>
Deny from all
</Directory>

<Directory /var/www/example/support/pages>

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} (.*/pages)

RewriteRule ^(.*)$ %1/index.php/$1 [L]

</Directory>

I already have "RewriteEngine on" in the <Directory> declaration for this website, so presumably I don't need it in any of the ones above?
There are about eight or nine other diretories within
/var/www/example/support that are not password protected, it's only the /scp one (the admin one) that I password protected.

The /include directory contains the following folders and files:

client
fpdf
i18n
mpdf
pear
plugins
staff
upgrader
.htaccess
ajax.config.php
ajax.content.php
ajax.draft.php
ajax.forms.php
ajax.kbase.php
ajax.note.php
ajax.orgs.php
ajax.reports.php
ajax.tickets.php
ajax.tips.php
ajax.upgrader.php
ajax.users.php
api.cron.php
api.tickets.php
class.ajax.php
class.api.php
class.app.php
class.attachment.php
class.auth.php
class.banlist.php
class.base32.php
class.canned.php
class.captcha.php
class.category.php
class.client.php
class.collaborator.php
class.company.php
class.config.php
class.cron.php
class.crypto.php
class.csrf.php
class.dept.php
class.dispatcher.php
class.draft.php
class.dynamic_forms.php
class.email.php
class.error.php
class.export.php
class.faq.php
class.file.php
class.filter.php
class.format.php
class.forms.php
class.group.php
class.http.php
class.i18n.php
class.json.php
class.lock.php
class.log.php
class.mailer.php
class.mailfetch.php
class.mailparse.php
class.migrater.php
class.misc.php
class.nav.php
class.note.php
class.organization.php
class.orm.php
class.osticket.php
class.ostsession.php
class.page.php
class.pagenate.php
class.passwd.php
class.pdf.php
class.plugin.php
class.pop3.php
class.priority.php
class.setup.php
class.signal.php
class.sla.php
class.staff.php
class.team.php
class.template.php
class.thread.php
class.ticket.php
class.timezone.php
class.topic.php
class.upgrader.php
class.user.php
class.usersession.php
class.validator.php
class.variable.php
class.xml.php
class.yaml.php
html2text.php
htmLawed.php
index.php
JSON.php
mysqli.php
ost-sampleconfig.php
PasswordHash.php
Spyc.php
tnef_decoder.php
UniversalClassLoader.php

It all seems to be working fine, so presumably whatever I've done is okay. (I restarted apache).

Thank you all so much for taking the time to help me, it is much appreciated.

Where do I need to have the exact domain name?

Just in your posts :) Generic terms like "mysite.com" or "domain.com" won't work; it has to be "example.com".

The /include directory contains the following folders and files:

Oh, maybe they're php includes used by files elsewhere on the site. Those wouldn't show up as server requests, not even internal ones. All is clear now. You certainly don't want anyone poking about in your php files-- especially if they've all got standard names that every passing Ukrainian would know to ask for.