Apache ignoring .htaccess

Question

Apache ignores my .htaccess file. I've read more or less every thread about this issue I could find and tried all the solutions and nothing works. I've tried them more than once.

The setup

• Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-57-generic x86_64) on VPS
• Apache/2.4.18 (Ubuntu)
• Django 1.10 via WSGI
• Python 3.5 in virtualenv

I want to serve some files that should only be available via approved IP ranges or user login. I have a .htaccess file that I've previously used on a webhost with a php-based website, and now I want it to work on a VPS with a Django-based website.

The names of the directories below have been changed, but they should be faithful to the setup.

Location of files

.htaccess file inside /dir in a subdir, /dir/1/2/3.

I want it to apply settings to every subdir in that subdir, e.g. /dir/1/2/3/a, /dir/1/2/3/b, /dir/1/2/3/c. These dirs have files that should be protected access (e.g. /dir/1/2/3/a/file.pdf).This should be done via .htaccess, not server-wide settings because the list of acceptable IPs is very long and I rather not have it bloat my apache config files.

.htaccess file

Most of the content is redacted for privacy reasons, but it follows this template.

# initial deny
<Limit GET POST>
order deny,allow
deny from all

# SUBSCRIBER LIST
#a very long list that follows this pattern or with CIDR ranges
allow from 1.2.3.4

# other settings
# users
require user someuser

satisfy any
</Limit>

# authtype
AuthType Basic
AuthName "Available only for subscribers."
require valid-user
AuthUserFile "/dir/passwd"

The passwd file has the necessary permissions as well.

Apache config

Default config file: /etc/apache2/sites-available/000-default.conf Has a number of other settings that work fine e.g. related to WSGI. Adding nonsense to test this results in apache error as expected.

Directive to enable .htaccess:

<Directory /dir>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
</Directory>

Also tried:

<Directory /dir>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    Allow from all
</Directory>

Tried a number of other variations. None of them make any difference. I restart between any changes.

I've verified that this directory is spelled correctly.

sites-enabled vs. sites-available

Someplace I read that one must edit the sites-enabled config file, not the sites-available one. These are the same files, the enabled one just links to the sites-available one.

a2enmod

Is enabled:

user@server:dir$ sudo a2enmod rewrite
Module rewrite already enabled

Permissions

chown is server's user: www-data.

chmod. I tried a number of settings: a+x, u+x, 777, many others, more than once.

Permissions are as of writing:

-rwxrwxrwx  1 www-data www-data 11135 Apr  5 14:47 .htaccess

DocumentRoot

According to this accepted answer, the .htaccess file must be in the DocumentRoot or a subdir of that. I changed the DocumentRoot to point to /dir. No effect.

Main apache settings: /etc/apache2/apache2.conf

Instead of editing the virtualhosts config, one can edit the main apache settings file.

This file has some more Directory directives. One of these is:

<Directory />
        Options FollowSymLinks
        AllowOverride None
        Require all denied
</Directory>

I assume that any deeper directive will overwrite a higher one, but I saw some people say this isn't so. I tried setting this one to AllowOverride All as well. No effect. In fact I tried setting all the Directory directives to that, including the irrelevant ones (relating to other directories e.g. /var/www which is not used).

AccessFileName .htaccess

This setting is unchanged from default and is as it should.

Logs

There are no errors or anything of relevance in either the error log or the access log.

Nonsense test

To determine whether apache is even reading the file, I tried adding deliberate syntax error into .htaccess. No server error, so server must be ignoring the file completely.

--

I cannot find anything more to try.

Answer 1

Try runing

chcon -R -t httpd_sys_rw_content_t /path/to/your/site

or use reference directory:

chcon -R --reference=/var/www/html /www/sites

More info:

Link to reference

Answer 2

I spent more hours trying ideas and I found the problem. The problem was not with Apache at all, it was with Django.

To find out, I systematically moved the .htaccecss file up through my dir hierarchy. Placing it in the main Django dir caused a server error as expected (due to the deliberate syntax error in the file). Moving it into my content dir had no effect. So I reasoning that Apache must be ignoring this dir for some reason. I looked over all the Apache settings many times, but could not find any reason why this dir was ignored. Then I had the idea that perhaps the site's debug mode was causing Django to ignore the permissions. Disabling Django's debug mode made the files inaccessible (Django 404 page). This means that Django was now unable to match the URL request to the urls.py. Thus, I looked in this file and realized the problem.

In the main app/urls.py, I had used this hack-around to enable serving of content files locally during development:

#to serve media files locally
from django.conf import settings
from django.conf.urls.static import static

#make it possible to serve files in debug mode locally
if settings.DEBUG:
    # static files (images, css, javascript, etc.)
    urlpatterns = urlpatterns + static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)

Thus, when debug mode is on, Django would serve the content files itself, bypassing the Apache settings entirely. Thus, Apache would not receive any request for files in the content dir and thus would not check the .htaccess file.

Disabling debug mode, along with some other minor bug fixes, solved the issue. Hope this helps someone else.