DeveloperSide.NET Forums
December 09, 2019, 12:10:13 AM *
Welcome, Guest. Please login or register.

Login with username, password and session length
News:
 
   Home   Help Search Login Register  
Pages: [1] 2
  Print  
Author Topic: Securing <drive>:\www\wwwroot\admin\*.* and beyond...  (Read 19451 times)
0 Members and 1 Guest are viewing this topic.
ufo
Member
*
Posts: 17


View Profile
« on: October 24, 2003, 07:26:09 AM »

I now have (thnx to you guys) a fine working web server but.......... I want to take it one step further  :wink:

I have a lot of folders in my wwwroot and they all work fine.
I also have an "admin" folder with a couple of subfolders located in the wwwroot.

I want all the folders to be accessible by all users. Except for the "admin" folder and it's sub folders (like the phpmyadmin). As soon as someone want to go to http://myserver/admin (or any of its subfolders) I want the page to rewrite (mod_rewrite) to https://myserver/admin and they should also be prompted for a password (MD5) using an .htaccess file.    

I would think it would just be a few lines in httpd.conf but I've tried different solutions from searching the web, but no luck yet. Anyone able to help me?

What should I have in the httpd.conf?

Thnx
Logged
Jorge
Customer, Basic Support
Guru
*****
Posts: 544

jorge_schrauwen@msn.com
View Profile WWW
« Reply #1 on: October 24, 2003, 01:35:25 PM »

Here is a sample, to protect a folder.
Change Mypasswordfile with the path to a file with passwords created with
the tool that comes with apache.
Code:
<Directory "\www\wwwroot\admin\">
Options Indexes MultiViews
AllowOverride None
Order deny,allow
Allow from all
AuthUserFile "Mypasswordfile"
AuthName Web
AuthType Basic
require valid-user
</Directory>

for mod_rewrite i don't know, i don't have experience with it.
Logged

ufo
Member
*
Posts: 17


View Profile
« Reply #2 on: October 24, 2003, 04:47:29 PM »

Pffff... I am getting frustrated here.

This is what I did:
 
Code:

<Directory "/www/webroot">
      Options Indexes FollowSymLinks
      AllowOverride all
      Order allow,deny
      Allow from all
</Directory>







<Directory "/www/wwwroot/admin/">
   Options Indexes MultiViews
   AllowOverride None
   Order deny,allow
   Allow from all
   AuthUserFile ../htpasswd/.htpasswd
   AuthGroupFile ../htpasswd/.htgroup
   AuthName "Secure Administration Connection"
   AuthType basic
   require group admins
</Directory>



The result it that everyone can access the pages in the admin section without even getting promted to type a password! I cahnged a lot from "deny,alow" to "alow,deny" and stuf like that but what ever I do, I don't get promted for anything.

btw the .htpasswd and .htgroup files are correct. I am sure of that. The apache log does not show any erros either.

Help?
Logged
ufo
Member
*
Posts: 17


View Profile
« Reply #3 on: October 24, 2003, 05:14:39 PM »

If I add an .htaccess file to the /www/webroot/admin folder, with the following in it:

Code:

AuthUserFile ../htpasswd/.htpasswd
AuthGroupFile ../htpasswd/.htgroup
AuthName "Secure Administration Connection"
AuthType basic
require group admins



Then I do get asked for a password and username. How come the lines in HTTPD.CONF get ignored?
Logged
Jorge
Customer, Basic Support
Guru
*****
Posts: 544

jorge_schrauwen@msn.com
View Profile WWW
« Reply #4 on: October 24, 2003, 06:31:30 PM »

I don't know, here it the other way around, it doen't work in a .htaccess, only one of my configfiles.
Logged

ufo
Member
*
Posts: 17


View Profile
« Reply #5 on: October 25, 2003, 11:35:01 PM »

This now works:

Code:

<Directory "/www/webroot">
      Options Indexes FollowSymLinks
      AllowOverride all
      Order allow,deny
      Allow from all
</Directory>

<Directory "/www/webroot/admin/">
   Options Indexes MultiViews
   AllowOverride None
   Order deny,allow
   Deny from all
   Allow from 127.0.0.1
   Allow from 192.168.0.2
   AuthUserFile ../htpasswd/.htpasswd
   AuthGroupFile ../htpasswd/.htgroup
   AuthName "Secure Administration Connection"
   AuthType basic
   require group admins
</Directory>


And this also works:

Code:

<Directory "/www/webroot">
      Options Indexes FollowSymLinks
      AllowOverride all
      Order allow,deny
      Allow from all
</Directory>

<Directory "/www/webroot/admin/">
   RewriteEngine On
   RewriteCond %{SERVER_PORT} 80
   RewriteRule .* https://%{HTTP_HOST}:443%{REQUEST_URI} [QSA,R=permanent,L]
</Directory>


But a combination of the two doesn't.
Too bad that there isn't anyone here that has some experience with this
 :cry:
Logged
Jorge
Customer, Basic Support
Guru
*****
Posts: 544

jorge_schrauwen@msn.com
View Profile WWW
« Reply #6 on: October 27, 2003, 02:01:08 PM »

Ok i thing i figured it out!
try:
Code:

<Location /admin>
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule .* https://%{HTTP_HOST}:443%{REQUEST_URI} [QSA,R=permanent,L]
AuthUserFile ".htpasswd"
AuthName SSL
AuthType Basic
require valid-user
</Location>

The problem was that the auth part came befor the rewrite part, so it did not rewrite. so hopfully this should work.
Logged

ufo
Member
*
Posts: 17


View Profile
« Reply #7 on: October 28, 2003, 06:30:45 AM »

Thank you Jorge. But it does not make a difference  :cry:

It does not matter in what order you do it. I already tried that. Apache seems to give more  priority to the athentication bit than to the rewrite rule.

First I get to login (not secure!) than the page changes to https and than I get to login again (this time secure over SSL)

It would be nice if I could use something like "if , then , else" but I don't think Apache would understand  :D

Thanx for trying....(did you try it on you server?)
Logged
Anonymous
Guest
« Reply #8 on: October 28, 2003, 07:20:30 AM »

Quote
As soon as someone want to go to http://myserver/admin (or any of its subfolders) I want the page to rewrite (mod_rewrite) to https://myserver/admin


I do not think it is possible to rewrite a http request to a https request and have it work.
Rewrites happen internally and on the server-side, the client browser still sees http and can not comunicate with the server sent https protocol.
You'll have to redirect that request.
Or just link to https in the first place.
You are making this way to complicated.  Just redirect.
Logged
Jorge
Customer, Basic Support
Guru
*****
Posts: 544

jorge_schrauwen@msn.com
View Profile WWW
« Reply #9 on: October 28, 2003, 08:51:25 AM »

what about 2 folder?
/admin <- out the .htaccess file with the rewrite part here.
/admin/file <- login part here?
i'll test it later, internet is buggy
Logged

ufo
Member
*
Posts: 17


View Profile
« Reply #10 on: October 28, 2003, 08:59:26 AM »

Quote

I do not think it is possible to rewrite a http request to a https request and have it work.
Rewrites happen internally and on the server-side, the client browser still sees http and can not comunicate with the server sent https protocol.

Yes it can! That part already does work.

Quote

You are making this way to complicated


True.  :wink:  And I am quitting..... I settle for this one:

Code:

<Location /admin>
SSLRequireSSL
AuthUserFile ../htpasswd/.htpasswd
AuthGroupFile ../htpasswd/.htgroup
AuthName "Secure Administration Connection"
AuthType Basic
require group admins
ErrorDocument 403 /error/403-SSL/
</Location>
Logged
Jorge
Customer, Basic Support
Guru
*****
Posts: 544

jorge_schrauwen@msn.com
View Profile WWW
« Reply #11 on: October 28, 2003, 09:36:24 AM »

I found a other fix(i hope) but it not that logical:
In the folder /admin you put:
Code:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule .* https://%{HTTP_HOST}:443/admin/ssl [QSA,R=permanent,L]

and in /admin/ssl:
Code:

AuthUserFile "users.cfg"
AuthName SSL
AuthType Basic
require valid-user

This works, but is not the best solution i thingk.
Logged

ufo
Member
*
Posts: 17


View Profile
« Reply #12 on: October 28, 2003, 01:52:45 PM »

Nope! Sorry, same result.

Let this be a lesson to all of you......don't ever try this on your server....

It seems to work fine if a php or other app (like phpmyadmin) takes over the authentication. But as soon as .htaccess files are used for authentication, (even if that is in a subfolder) apache gives a higher priority to that and thus prompts for a password before the re-write.
Logged
Jorge
Customer, Basic Support
Guru
*****
Posts: 544

jorge_schrauwen@msn.com
View Profile WWW
« Reply #13 on: October 28, 2003, 01:58:13 PM »

are you sure, here is works
IE request /admin, it rediret to /admin/ssl but on port 443 this time then it ask for a user and pass becouse then it sees /admin/ssl/.htaccess, it probebly that we have a difrent configuration.
Logged

ufo
Member
*
Posts: 17


View Profile
« Reply #14 on: October 28, 2003, 05:47:43 PM »

You are right Jorge! It does work now. I had to rebuild my test server because it had become a mess.

It does work if I go to http://server.com/admin (will redirect me to https://server.com/admin/ssl and prompt for password just once)  :lol:

It does not work if I go to http://server.com/admin/ssl/anysubfolder (will redirect me to https://server.com/admin/ssl and prompt me for password twice) and will not direct me to https://server.com/admin/ssl/anysubfolder.

I will now use this "solution" (work around) anyway and use a separate index.hml to simply go to all the admin apps from within the ssl folder.

Perhaps this was a silly question to start with a couple of days ago.  :oops:
Anyway, I have learned a lot sinds then!!!!
Logged
Pages: [1] 2
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.9 | SMF © 2006-2009, Simple Machines LLC Valid XHTML 1.0! Valid CSS!