I'm using Laravel 4 framework with standard built-in Auth support. In local environment everything works nice (MAMP, OSx), but on my production server (Digital Ocean standard image with Ubuntu, Apache, Php 5.5.9) auth filter fails and allows access without authentication.

routes.php:

Route::group(['before'=>'auth'], function(){
    Route::get('admin', array('uses' => 'AdminController@home'));
    Route::get('admin/dashboard', function(){
        return Redirect::to('admin');
    });

    Route::post('payment/ok', array('uses' => 'PaymentController@ok'));
    Route::post('payment/fail', array('uses' => 'PaymentController@fail'));
    Route::get('admin/makeDMS/{id}', array('uses' => 'PaymentController@makeDMStransaction'));
    Route::get('admin/products', array('uses' => 'AdminController@products'));
    Route::get('admin/product/{id}', array('uses' => 'AdminController@product'));
    Route::get('admin/orders', array('uses' => 'AdminController@orders'));
    Route::get('admin/order/{id}', array('uses' => 'AdminController@order'));
    Route::post('admin/setOrderStatus', array('uses' => 'AdminController@setOrderStatus'));
    Route::post('admin/updateProduct', array('uses' => 'AdminController@updateProduct'));
    Route::get('admin/transactions', array('uses' => 'AdminController@transactions'));  
});

filters.php:

Route::filter('auth', function()
{
    if (Auth::guest())
    {
        if (Request::ajax())
        {
            return Response::make('Unauthorized', 401);
        }
        else
        {
            return Redirect::guest('login');
        }
    }
});


Route::filter('auth.basic', function()
{
    return Auth::basic();
});

Route::filter('guest', function()
{
    if (Auth::check()) return Redirect::to('/');
});

I tried to protect desired routes both with Route::group and in controller constructor, but the output is the same: login with good credentials works, users with bad credentials can't login, but routes group which should be protected are available for unauthenticated users.

I found that php in fast CGI mode could produce such behavior, but here is my sudo apachectl -M output:

Loaded Modules:
 core_module (static)
 so_module (static)
 watchdog_module (static)
 http_module (static)
 log_config_module (static)
 logio_module (static)
 version_module (static)
 unixd_module (static)
 access_compat_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 authn_core_module (shared)
 authn_file_module (shared)
 authz_core_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 filter_module (shared)
 mime_module (shared)
 mpm_prefork_module (shared)
 negotiation_module (shared)
 php5_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 status_module (shared)

Ok, I found the solution. As always, RTM...

My environment was set as "testing" which is reserved for Unit Testing, and the manual nicely says:

Note: Route filters are disabled when in the testing environment. To enable them, add Route::enableFilters() to your test.

I changed the environment variable to "production" and now everything works great.