This feels really stupid:
I’m trying to protect some directories with .htaccess but I still can access these directories without any problem.
I tried via the ZTL web panel and it generates the files in the appropriate directories. I also generated them via online tools but still no go.
I noticed that the ZTL web panel sets group and owner of the files to root:root and not to the owner of the domain, but changing that doesn’t make a difference.
Is this an Apache (httpd.conf) setting somewhere that overrides the .htaccess files?
You should also set AllowOverride directive in your virtual server config (Directory section):
System Administration->Apache webserver->Virtual server(your virtual server)->Per-Directory options(select directory with .htaccess file)->Document Options
Set ‘Options file can override…’ to ‘Selected below…’ and select needed options (Authentication options in your case)
This is very fine-grained! (Should it be this precise?)
However, the more I play with ZTL the more I like it.
I have one quite puzzling issue now, though:
As an example I set an .htaccess on the /stats directory. (webalizer graphs) Authentication is now required when browsing to http://www.mydomain.com/stats but NO authorization is required when going to http://mydomain.com/stats !!!
Can you give me a hint?
Check again, but after authentication on http://www.mydomain.com/stats you should reopen your browser (because it saves auth info) and then go to http://mydomain.com/stats .
Now I REALLY feel stupid! (:SHY)
I thought my browser would regard mydomain.com and www.mydomain.com as two separate domains with the need for new login credentials.
You are correct and it works as advertised.