When enabling “Protected Directories,” an .htaccess file is automatically generated in the specified directory. The file typically looks like this:
AuthUserFile "/home/krisknez/domains/app.example.com/public_html/.htpasswd"
AuthType Basic
AuthName "Entire website"
require valid-user
<Files .htpasswd>
deny from all
</Files>
When you add users with access to the protected directory, their credentials are stored in the .htpasswd file. This setup works as expected—until you configure a proxy for your website. Since proxy settings are defined in the virtual host (vhost) file, the .htaccess file is bypassed and no longer enforced.
To resolve this issue, you need to move the relevant rules from the .htaccess file into the vhost configuration. This can be done by editing the vhost directives (Web Configuration -> Configure SSL Website / Configure Website -> Edit Directives).
The updated configuration in the vhost file might look like this: