htaccess file protect can access file when file permission is 444

I have a site file that I need to protect by htaccess and htpasswd

https://site/test/test.txt
when the file permission is 444 meaning , read access from web client  , the file content will be open and the htaccess login prompt will not show, but when I change the file permission to 440 "no read access for web client , the htaccess login prompt will show and will accept the valid user, but then the file will be "Forbidden
You don't have permission to access this resource".

let me know if you have a fix on this.

are you using nginx in front of apache, or apache only.  Could be a misconfiguration of Nginx if the former is true.

Yes I have nginx in front.

Nginx needs to be the auth then. 

You will want to create a new template in "   nano /usr/local/cwpsrv/htdocs/resources/conf/web_servers/vhosts/nginx/   " (or php-fpm/nginx if you are using php-fpm).

You will need to do both the tpl and stpl file, and name it the user account.  Make the changes in that file.  Then goto WebServer Settings -> Webserver Domain Config, and assign your new template to the account you want.  (This will prevent issues when CWP updates)

Follow this tutorial to edit the template file:  https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/

This is a caching "issue" of Nginx being in front of apache. This isn't really an issue, it's more like how the nginx configuration is written/designed.
This problem is similar to what I had
https://serverfault.com/questions/1088413/htaccess-rewrite-rule-not-working-with-file-extentions

TLDR; Nginx is caching the following file extensions:

Code: [Select]

3gp|gif|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|html|htm|txt|js|css|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso|woff|ttf|svg|eot|sh|webpSo, these files per say does not get processed by apache, hence why .htaccess can't really do anything about them because it doesnt see a connection to them.

You can do as @rcschaff mentioned or you can simply just clone a template and remove the file extensions section mentioned above to disable nginx serving them by itself and then you can use htpasswd and htaccess normally. But then again, this counters the purpose of why nginx is in front of apache.

This is the action of a hacker which practically modifies files in the web folder and is able to set 444 permissions on this files.
All the security provided from MODsec shoud block these hacking behavior or at least CWP admins/devs should provide a patch for blocking these malicious instances.

What is suggested as a fix is practically making the website more vulnerable, rather than increasing the security.

Everyone is paying licenses and we are all suffering from lack of support on this matter.

Please advise.

This is the action of a hacker which practically modifies files in the web folder and is able to set 444 permissions on this files.
All the security provided from MODsec shoud block these hacking behavior or at least CWP admins/devs should provide a patch for blocking these malicious instances.

What is suggested as a fix is practically making the website more vulnerable, rather than increasing the security.

Everyone is paying licenses and we are all suffering from lack of support on this matter.

Please advise.

I'm not sure what you are even talking about.  The OP is setting his permissions. Obviously, if you set a file's permissions that nginx cannot read, it will throw an error.   The issue here isn't the file permissions (Which should be 640), but the fact that nginx does not use the .htaccess file.   Nginx has it's own AUTH method, but it has to be set in the domains server block.  Perhaps you should re-read the thread, as the correct way of handling this was explained to him.