[SlugBug] Restricting HTTP in just one directory (followup from
another discussion cut short!)
James Wallbank
james at lowtech.org
Thu Jan 26 17:37:30 GMT 2006
Hello All,
I have a problem with the details of restricting http access to a CMS
control panel on an apache webserver.
I posted this question on another (nearby) Linux User Group mailing list
recently, but unfortunately it seems as if their listserv has gone belly
up, and I'd like to address this problem ASAP... So please forgive me
that the story is somewhat involved...
Here's the story so far...
I have a website with a CMS. The domain is on an apache server and is
accessible by both http (port 80) and https (port 443). One directory
"htdocs/panel/" contains a control panel, protected by .htpasswd
usernames and passwords.
I'd like to stop access to this directory on port 80 - so people can
view the rest of the website WITHOUT having to use https, but people
using the control panel HAVE TO use https.
Thus, the theory goes, naughty people can't listen in on the
username/password interactions and mess about with the control panel.
My original questions were thus...
* Should I limit port 80 access using a <Directory> block in
vhosts.conf? How?
OR
* Should I limit port 80 access using directives in .htaccess? How?
OR
* Are neither of these approaches correct? In which case, what approach
should I take?
Simple enough!
I got a very helpful reply which suggested that I should doctor
vhosts.conf thus:
<Directory "/svr/www/htdocs/panel">
RewriteEngine on
Options +FollowSymLinks
Order allow,deny
Allow from all
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
</Directory>
This works really well... BUT there's still a security hole!
If someone hits http://server-example.org/panel in an attempt to access
the control panel, then the first thing that happens is that .htaccess
asks for the username and password via plain HTTP.
Put the right details in the box, and press go, and the plaintext
username and password are returned by plain HTTP - exactly the thing I
want to avoid!
Once that's done, of course, THEN .htaccess asks for the username and
password AGAIN - this time via HTTPS - which is what we want.
Clearly, I can design the site to encourage people not to hit the panel
directory directly via http, by, for example, giving the https-only
control panel directory a a cryptic name, and making a file
http://server-example.org/panel/index.php which redirects to
https://server-example.org/panel-with-a-cryptic-name/index.php
However, this seems messy and annoying - and it doesn't fill the
security hole completely, it just makes it unlikely that the "data leak"
condition ever happens.
So, here's my followup question...
* Is there a way I can get .htaccess to stay silent and NOT ask for
username and password UNLESS it's hit by https...
OR
* Should I use a different approach to make sure the communications with
the panel are encrypted?
Best Regards,
James
=====
More information about the SlugBug
mailing list