I've setup a small droplet with php7.0-fpm/fastcgi, apache 2.4 on a Ubuntu 14.04.
Everything runs smoothly, except one small detail :
The thing is I want to protect a folder via a classic .htaccess protection, nothing fancy.
But, if I go to "my-droplet-ip/my-protected-folder/my-file.php", I still can access it, even with an htaccess configured.
If I go to "my-droplet-ip/my-protected-folder", the login/pass prompt shows up like expected. Same normal behavior for "my-droplet-ip/my-protected-folder/a-file.(html|png|ini...)"
I've read many things, like the fact that fastcgi could "process" php files before htaccess, but I can't really figure why/how.
Any idea?
Eureka.
Short story, don't use :
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/var/www/html/$1
to handle php files with FastCGI, because it seems that ProxyPassMatch directives are evaluated before the .htaccess.
Better use :
<FilesMatch \.php$>
SetHandler "proxy:fcgi://127.0.0.1:9000"
</FilesMatch>
More details over there : https://ma.ttias.be/apache-2-4-proxypass-for-php-taking-precedence-over-filesfilesmatch-in-htaccess/