Password protect a proxied path

SYSTEM INFORMATION
OS type and version Debian 12
Virtualmin version 7.20.2
  1. Add “Protected Directories” to the whole website. (Opening website will require basic auth)
  2. Add “Proxy Website” to proxy the whole website to another one.

Basic auth will stop working.

Is there a way to fix this?

I see that “Protected Directories” works using .htaccess and .htpasswd files while the “Proxy Website” works by editing the virtual host file.

When enabling “Protected Directories,” an .htaccess file is automatically generated in the specified directory. The file typically looks like this:

AuthUserFile "/home/krisknez/domains/app.example.com/public_html/.htpasswd"
AuthType Basic
AuthName "Entire website"
require valid-user
<Files .htpasswd>
    deny from all
</Files>

When you add users with access to the protected directory, their credentials are stored in the .htpasswd file. This setup works as expected—until you configure a proxy for your website. Since proxy settings are defined in the virtual host (vhost) file, the .htaccess file is bypassed and no longer enforced.

To resolve this issue, you need to move the relevant rules from the .htaccess file into the vhost configuration. This can be done by editing the vhost directives (Web Configuration -> Configure SSL Website / Configure Website -> Edit Directives).

The updated configuration in the vhost file might look like this:

...
<Location "/">
    AuthUserFile "/home/krisknez/domains/app.example.com/public_html/.htpasswd"
    AuthType Basic
    AuthName "Entire website"
    require valid-user
</Location>

This ensures that access control is properly applied, even when the site is proxied.

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.