We have an .htaccess file in the base directory of our project which contains a RewriteRule to allow for SEO friendly URIs. Existing files or directories should be served as-is. The project can be accessed directly via its domain, i. e. www.example.com. This .htaccess file looks like this
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^.*$ index.php [L]
The administration area for this project resides in a subfolder called /admin. This administration area is a very basic oldschool PHP application that does not use RewriteRules and it should be accessible like any normal subdirectory. Using my example domain from above that would be www.example.com/admin.
Additionally, we need to protect the admin area using HTTP auth, because it does not have built-in protection. Hence we placed another .htaccess file inside the /admin subdirectory which only contains the auth configuration as follows
AuthType Basic
AuthName "Administration area"
AuthUserFile /path/to/.htusers
AuthGroupFile /path/to/.htgroups
Require group superuser
Options -Indexes
This is where it gets crazy, at least to me, but that may only be due to my lack of deep understanding of the mod_rewrite module. If both .htaccess files are active, the admin area is not accessible, because apparently the request is rewritten to the index.php file of the base directory. If I disable either of those two .htaccess files by renaming them, it works:
.htaccess file inside the /admin directory, the SEO friendly URIs of the main project still work and I can access the admin area, but it is not password protected.htaccess file in the base directory, the admin area can be accessed and is password protected, but the SEO friendly URIs of the main project don't work anymoreI tried to exclude the /admin directory from the RewriteRule manually by adding the condition RewriteCond %{REQUEST_URI} !^/admin before the other two conditions, even though this should be redundant due to the !-d RewriteCond, but this didn't change the behavior.
How can I make things work simultaneously?
We had contacted our infrastructure provider before because of this issue, but they just told us to "try this and that". After tinkering for a while but still not being able to solve the issue, we contacted our infrastructure provider again. This time, they actually checked their systems themselves and realized they had an old .htaccess file somewhere up in the directory tree (where we don't have access to), which was apparently applied by Apache... they removed it and now it is all good...
Lesson learned: if things seem to be weird, annoy your provider until they finally care.