I have a pretty URL setup with .htaccess that rewrites non-existent URLs (not strictly 404 errors) to a PHP script that serves either content or a 404 message. I have excluded existing files and directories from this rewriting so that CSS, images, etc, won't be affected.
However, there is one directory that is password-protected by .htpasswd that should also bypass the rewrite rule but is NOT when .htpasswd is enabled for it.
Parent directory .htaccess:
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /callbacks.php [L]
There's a child directory with the following .htaccess:
RewriteEngine on
Options All -Indexes
AuthName "Backstage Access"
AuthType Basic
AuthUserFile /path/to/.htpasswd
AuthGroupFile /dev/null
require valid-user
If I remove the require valid-user line, the parent directory's rewrite rule ignores the child directory as I want, and I can access it from my browser. But when I turn on the authorization, the parent directory's .htaccess rewrites the child directory to /callbacks.php, resulting in the custom 404 error.
Any ideas on how to fix this? Obviously I cannot remove the need for password-protection. I tried removing the parent rewrite rule and instead simply using /callbacks.php as a 404 error document, but then POST and GET data isn't transferred.
