When using HAProxy, the server var REMOTE_ADDR outputs as the DO droplet IP so IPs cannot be whitelisted on HAProxy enabled droplets. The apache definition done for htpasswd would need to check X-Forwarded-For for the correct visitor IP.
Below was a revision that worked for me (with ${WHITELIST_IP} hardcoded during my testing). From what I can see, you're doing some sed replacement in TUGBOAT-php, so that would need to be accounted for here.
Order deny,allow
Deny from all
SetEnvIF X-Forwarded-For "${WHITELIST_IP}" AllowIP
<RequireAny>
Require env AllowIP
</RequireAny>
AllowOverride All
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
Allow from env=AllowIP
Allow from ${WHITELIST_IP}
Satisfy Any
When using HAProxy, the server var REMOTE_ADDR outputs as the DO droplet IP so IPs cannot be whitelisted on HAProxy enabled droplets. The apache definition done for htpasswd would need to check X-Forwarded-For for the correct visitor IP.
Below was a revision that worked for me (with ${WHITELIST_IP} hardcoded during my testing). From what I can see, you're doing some
sed
replacement in TUGBOAT-php, so that would need to be accounted for here.