Why can't I use BasicAuth to protect configure with FastCGI?

If you have configured the 401 ErrorDocument to take your users to a sign-up page as per the ApacheConfigGenerator,

You may find that a successful CGI installation where you are able to access configure and authenticate via BasicAuth no longer works with FastCGI (instead you see the sign-up page).

This problem occurs particularly if you use something like HttpsRedirectPlugin or other SSL redirect scheme where the protocol://host you may be accessing the configure script with is not the same as the DefaultUrlHost, although it should be in PermittedRedirectHostUrls).

The work-around is to configure the 401 ErrorDocument for inside the configure FilesMatch directive to manually set it back to the default error document apache would normally use on the filesystem.

In the case of Debian and Ubuntu, the 401 error document should live at /usr/share/apache2/error/HTTP_UNAUTHORIZED.html.var, so the full FilesMatch directive would be something like:

    <FilesMatch "^(configure)$">
        SetHandler cgi-script
        Order Deny,Allow
        Deny from all 
        Allow from 123.123.123.0/24
        Allow from 122.122.122.0/24
        Require user ExampleUser1 ExampleUser2 ExampleUser3
        Satisfy All
        ErrorDocument 401 /usr/share/apache2/error/HTTP_UNAUTHORIZED.html.var
    </FilesMatch>

-- PaulHarvey - 21 Feb 2010

Why not use the special Apache directive "Default" to return to the Apache default. From the Apache 2.2 Documentation (modified to be relevant):

Additionally, the special value default can be used to specify Apache's simple hardcoded message. While not required under normal circumstances, default will restore Apache's simple hardcoded message for configurations that would otherwise inherit an existing ErrorDocument.

ErrorDocument 401 /System/UserRegistration

<FilesMatch "^(configure)$">
        SetHandler cgi-script
        ( ... omitted ... )
        ErrorDocument 401 default
</FilesMatch>

-- GeorgeClark - 27 Feb 2012