.htaccess AuthUserFile has no effect or is being ignored

Question

After hours of searching the web and trying dozens of unsuccessful solutions - here is my question.

I'm currently configuring a webserver on RHEL 6.4 and httpd 2.2.15 behind another RHEL 6.4 server using squid 3.1.10 and HTTPS only. I'm also using mod_rpaf to simplify logging and identification of visitors behind the proxy.

My problem is to configure a simple password protected folder. When I try to access the folder, the password dialog pops up with the configured AuthName. So I know that the .htaccess is being parsed. But the dialog does not accept the correct credentials and gives me an error 401.

I messed around with:

• different permissions for .htaccess, .htpasswd and parent folders
• different absolute locations for the .htpasswd
• all activated Apache modules that are available on my system
• different encryption algorithms for .htpasswd (crypt, md5, sha, salted sha...)
• AllowOverride All on the protected and parent folder

But what I really do not understand that even if I put a wrong location for AuthUserFile there is no error message in Apaches error_log like the well known Permission denied: Could not open password file. Even on LogLevel debug Therefore I think that something is wrong with that Directive AuthUserFile.

I hope there is someone out there knowing better methods to identify the problem.

This is my simple .htaccess I'm using for testing:

AuthType Basic
AuthName "Test123"
#AuthUserFile /var/www/test/.htpasswd
AuthUserFile /notexisting
Require valid-user

Answer 1

Finally I got it to work!
I tracked the error down to the squid reverse proxy by using lynx on my webserver and successfully accessing the protected folder from there.
With my new focus on squid I started googling again. Already the first link took me to the correct answer: squid did not allow the apache to handle user authentication.

Resulution:
Add login=PASS to the cache_peer command in your squid.conf