I have a shared hosting server where each subdomain is in its folder in root. The www.domain.com is in the /www folder, the subdomain.domain.com subdomain is in the /subdomain folder, etc.
What I want right now, is to restrict access to subdomain.domain.com with a .htaccess password, but show a customized message for users who don't have a password. And I can't get Apache2 to read the 401 error document. I have found some common troubleshooting saying that the file has to be readable, which in my case it definitely is.
So, the only two places where I can put the auth file in this configuration, since /subdomain is protected, is either under the /www folder, or in the root (like /401.html), which I have no idea if it makes any difference. But in both cases, those are folders obviously readable by Apache2, because I am using them, I am using the other (main) domain for PHP scripts, and I am getting error logs in the root, the file permissions are the same as on the 404 document (which works), and the owner is the same.
And I don't think my hoster is disabling me from using custom 401 error documents (I am already successfully using custom 404 and 500 documents), because only when I try to specify a 401 document, I get an additional row in my error output that says Additionally, a 401 Authorization Required error was encountered while trying to use an ErrorDocument to handle the request.. As if it's trying to do it, but there is something else in the way.
What could it be, and what should I try?
EDIT:
This is the contents of the .htaccess file:
Options +Indexes +FollowSymLinks
RewriteEngine On
RewriteRule ^([^\.]+)$ index.php?data=$1 [QSA,L]
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /subdomain/.htpasswd
AuthGroupFile /dev/null
require valid-user
ErrorDocument 404 /tpl/errors/404.php
ErrorDocument 500 /tpl/errors/500.php
ErrorDocument 401 /auth_alpha.html
And what I'm noticing right now pasting this, is that my 404 messages are an absolute path starting with the http address, not the root of the file system, which means that if I start the 401 error document with a /, it will try to read it from the same domain? Which makes little sense to me, because it should be an Apache2 directive, not a browser directive, right? Anyway, when I tried putting ../auth_alpha.html instead of /auth_alpha.html, then the browser outputs ONLY the string ../auth_alpha.html on the page.
You need to exclude ErrorDocument URLs from authentication:
ErrorDocument 404 /tpl/errors/404.php
ErrorDocument 500 /tpl/errors/500.php
ErrorDocument 401 /auth_alpha.html
Options +Indexes +FollowSymLinks
RewriteEngine On
RewriteRule ^([^.]+)/?$ index.php?data=$1 [QSA,L]
SetEnvIfNoCase Request_URI ^/(auth_alpha\.html$|tpl/errors/) NO_AUTH
# force auth for everything except ErrorDocument URLs
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /subdomain/.htpasswd
AuthGroupFile /dev/null
Require valid-user
Satisfy any
Order deny,allow
Deny from all
Allow from env=NO_AUTH