Hi, When protecting files (in a <files> or <filesmatch> block), the file which will be requested via the DirectoryIndex Directive will trigger a 401 response, but without WWW-Authenticate header. eg : DirectoryIndex index.php <files index.php> [Authtype basic stuff] require valid-user </files> When requesting http://server/index.php, the response is 401 and WWW-Authenticate header is sent. When requesting http://server/, the response is 401 but no WWW-Authenticate header is sent, so no way to access the file. One can work around this with a rewrite rule or a redirectmatch. Regards, Clément Hermann (nodens)
I can't reproduce this alleged bug (it sends me the WWW-Authenticate as expected). Are you sure it isn't a PHP problem, or something elsewhere in your config (e.g. messing with mod_rewrite)? If you're sure it's a bug, please reopen and supply a minimal config to provoke it, excluding extras like PHP that could confuse the issue.
I can reproduce it like so: DirectoryIndex index.html <Files "index.html"> Order allow,deny Allow from all AuthType Basic AuthName "Some Auth" AuthUserFile "/var/www/htpasswd" Require valid-user </Files> Live HTTP headers: http://localhost/ GET / HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive HTTP/1.1 401 Authorization Required Date: Mon, 27 Jun 2011 18:39:39 GMT Server: Apache/2.2.17 (Fedora) Content-Length: 476 Connection: close Content-Type: text/html; charset=iso-8859-1 ---------------------------------------------------------- Here are the modules enabled: Loaded Modules: core_module (static) mpm_prefork_module (static) http_module (static) so_module (static) auth_basic_module (shared) auth_digest_module (shared) authn_file_module (shared) authn_alias_module (shared) authn_anon_module (shared) authn_dbm_module (shared) authn_default_module (shared) authz_host_module (shared) authz_user_module (shared) authz_owner_module (shared) authz_groupfile_module (shared) authz_dbm_module (shared) authz_default_module (shared) ldap_module (shared) authnz_ldap_module (shared) include_module (shared) log_config_module (shared) logio_module (shared) env_module (shared) ext_filter_module (shared) mime_magic_module (shared) expires_module (shared) deflate_module (shared) headers_module (shared) usertrack_module (shared) setenvif_module (shared) mime_module (shared) dav_module (shared) status_module (shared) autoindex_module (shared) info_module (shared) dav_fs_module (shared) vhost_alias_module (shared) negotiation_module (shared) dir_module (shared) actions_module (shared) speling_module (shared) userdir_module (shared) alias_module (shared) substitute_module (shared) rewrite_module (shared) proxy_module (shared) proxy_balancer_module (shared) proxy_ftp_module (shared) proxy_http_module (shared) proxy_ajp_module (shared) proxy_connect_module (shared) cache_module (shared) suexec_module (shared) disk_cache_module (shared) cgi_module (shared) version_module (shared)
Tested with 2.4.39 and works for me with the configuration given in comment #2. This must have been fixed some time ago. Closing anyway because 2.2.x is EOL.