Requiring httpauth username and password for Wordpress blog except RSS feed

Question

I am trying to secure my wordpress blog with httpauth, except for the RSS feed. This worked for me in apache 2.2, but I can't get it to work in apache 2.4.

I have an .htaccess file in my blog directory looking like this:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /blog/
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /blog/index.php [L]
</IfModule>
# END WordPress

AuthUserFile .htpasswd
AuthGroupFile /dev/null
AuthName blog
AuthType Basic
SetEnvIf Request_URI ^.*/feed/$ allow_access
<RequireAny>
    Require env allow_access
    Require expr %{REQUEST_URI} =~ m#^.*/feed/$#
    Require ip 127.0.0.1
    Require valid-user
</RequireAny>

This does ask me for a password, as it should, but even on URIs ending in /feed/ it still asks for a password, which it shouldn't.

My understanding is that either of the two first lines in the RequireAny block should satisfy the RequireAny and thus not ask for a password.

In apache 2.2 this worked for me, with

allow from env=allow_access

What am I doing wrong? Is there another or better way to do this?

UPDATE: I added extra logging for mod_rewrite and mod_authz. This gives me the following:

[Sat May 10 16:31:32.590983 2014] [authz_core:debug] [pid 23422] mod_authz_core.c(802): [client 192.168.1.2:41194] AH01626: authorization result of Require env allow_access: granted
[Sat May 10 16:31:32.591570 2014] [authz_core:debug] [pid 23422] mod_authz_core.c(802): [client 192.168.1.2:41194] AH01626: authorization result of <RequireAny>: granted
[Sat May 10 16:31:32.591694 2014] [rewrite:trace3] [pid 23422] mod_rewrite.c(475): [client 192.168.1.2:41194] 192.168.1.2 - - [www.example.com/sid#7fdd2871f880][rid#7fdd28c5f250/initial] [perdir /var/www/html/www.example.com/blog/] add path info postfix: /var/www/html/www.example.com/blog/feed -> /var/www/html/www.example.com/blog/feed/
[Sat May 10 16:31:32.591731 2014] [rewrite:trace3] [pid 23422] mod_rewrite.c(475): [client 192.168.1.2:41194] 192.168.1.2 - - [www.example.com/sid#7fdd2871f880][rid#7fdd28c5f250/initial] [perdir /var/www/html/www.example.com/blog/] strip per-dir prefix: /var/www/html/www.example.com/blog/feed/ -> feed/
[Sat May 10 16:31:32.591754 2014] [rewrite:trace3] [pid 23422] mod_rewrite.c(475): [client 192.168.1.2:41194] 192.168.1.2 - - [www.example.com/sid#7fdd2871f880][rid#7fdd28c5f250/initial] [perdir /var/www/html/www.example.com/blog/] applying pattern '.' to uri 'feed/'
[Sat May 10 16:31:32.591813 2014] [rewrite:trace2] [pid 23422] mod_rewrite.c(475): [client 192.168.1.2:41194] 192.168.1.2 - - [www.example.com/sid#7fdd2871f880][rid#7fdd28c5f250/initial] [perdir /var/www/html/www.example.com/blog/] rewrite 'feed/' -> '/blog/index.php'
[Sat May 10 16:31:32.591843 2014] [rewrite:trace2] [pid 23422] mod_rewrite.c(475): [client 192.168.1.2:41194] 192.168.1.2 - - [www.example.com/sid#7fdd2871f880][rid#7fdd28c5f250/initial] [perdir /var/www/html/www.example.com/blog/] trying to replace prefix /var/www/html/www.example.com/blog/ with /blog/
[Sat May 10 16:31:32.591866 2014] [rewrite:trace1] [pid 23422] mod_rewrite.c(475): [client 192.168.1.2:41194] 192.168.1.2 - - [www.example.com/sid#7fdd2871f880][rid#7fdd28c5f250/initial] [perdir /var/www/html/www.example.com/blog/] internal redirect with /blog/index.php [INTERNAL REDIRECT]
[Sat May 10 16:31:32.592086 2014] [authz_core:debug] [pid 23422] mod_authz_core.c(802): [client 192.168.1.2:41194] AH01626: authorization result of Require env allow_access: denied
[Sat May 10 16:31:32.592122 2014] [authz_core:debug] [pid 23422] mod_authz_core.c(802): [client 192.168.1.2:41194] AH01626: authorization result of Require expr %{REQUEST_URI} =~ m#^.*/feed/$#: denied
[Sat May 10 16:31:32.592141 2014] [authz_core:debug] [pid 23422] mod_authz_core.c(802): [client 192.168.1.2:41194] AH01626: authorization result of Require ip 127.0.0.1: denied
[Sat May 10 16:31:32.592158 2014] [authz_core:debug] [pid 23422] mod_authz_core.c(802): [client 192.168.1.2:41194] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Sat May 10 16:31:32.592175 2014] [authz_core:debug] [pid 23422] mod_authz_core.c(802): [client 192.168.1.2:41194] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)

So the authorization is checked twice; before and after the rewrite. The problem is that apparently the request_uri isn't the same after the rewrite. Suggestions welcome.

Answer 1

I found the answer, finally, in this Stack Exchange question

When using url rewriting, environment variables are saved as REDIRECT_variable_name.

So adding the line

    Require env REDIRECT_allow_access

inside the <RequireAny> block solved the problem for me.