1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 7:59 am May 2, 2026

Forum Moderators: phranque

Message Too Old, No Replies

.htaccess with Rewrite AND Limit GET

Can't use rewrite and Limit GET at the same time

         

mattx17

9:56 pm on Dec 29, 2005 (gmt 0)

10+ Year Member



I had a folder within a password protected folder (let's call the first folder 'public', and the other 'protected'). I had to move the 'public' folder out into the root of the web site. Many people have links pointing to the 'public' folder in it's old location (the reason we moved it out of /protected was because this folder is supposed to be accessible to the public).

I want to redirect any requests for /protected/public to /public. I put the rewrite rules in the .htaccess file that is located in /protected, above the Limit GET container (.htaccess file contents pasted below). What I expected it to do was to redirect requests for /protected/public if it matched, then if it was any other request, prompt for username/password. Instead it prompts for username and password first.

I tried putting 'satisfy any' in the Limit container, but that made /protected no longer password protected!

Is there a way around this?

.htaccess contents (changed to protect the innocent): 


RewriteEngine On
RewriteRule ^public/(.*) /public/$1 [R=301,L]
<Limit GET>
AuthName "Admin"
AuthType basic
AuthUserFile /path/to/.htpasswd
require user admin
satisfy any
</Limit>

jdMorgan

10:10 pm on Dec 29, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Apache modules execute in the reverse order specified by LoadModule under Apache 1.x, or in the order set by Apache 2.x. Each module parses .htaccess in turn, and handles only the directives that it understands.

Therefore, the order of directives for different modules in your .htaccess file makes no difference to processing order. In this case, and in all properly-configured servers, mod_auth will run before anything else that could be used to modify server operation. Otherwise, you'd be hacker-bait.

Also, I hope you're aware that <Limit GET> only applies to GET requests; Your directory is completely open to anyone who wants to POST to or DELETE from it...

You can use SetEnvIf to pass info about requested URLs into mod_access to help with this problem. Something like: 


RewriteEngine on
RewriteRule ^public/(.*) /public/$1 [R=301,L]
#
SetEnvIf Request-URI ^/protected/public/ allowredir
Order Allow,Deny
#
<Limit GET>
AuthName "Admin"
AuthType basic
AuthUserFile /path/to/.htpasswd
Require user admin
Satisfy any
Allow from allowredir
</Limit>
#
<LimitExcept GET>
Deny from all
</LimitExcept>

Compare this to the Apache documentation of Satisfy -- I just typed this, and it's probably not 100% correct.

Jim

mattx17

10:29 pm on Dec 29, 2005 (gmt 0)

10+ Year Member



Also, I hope you're aware that <Limit GET> only applies to GET requests; Your directory is completely open to anyone who wants to POST to or DELETE from it...

Good tip, I'll keep that in mind!

I tried to do what you posted, but I couldn't get it to work. I ended up resorting to doing this in the VirtualHost container for the web site:

Alias /protected/public /path/to/public

And all is good now!

Thanks for your help...

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 7:59 am May 2, 2026