[SlugBug] Restricting HTTP in just one directory (followup from another discussion cut short!)

Thu Jan 26 17:37:30 GMT 2006

Hello All,

I have a problem with the details of restricting http access to a CMS 
control panel on an apache webserver.

I posted this question on another (nearby) Linux User Group mailing list 
recently, but unfortunately it seems as if their listserv has gone belly 
up, and I'd like to address this problem ASAP... So please forgive me 
that the story is somewhat involved...

Here's the story so far...

I have a website with a CMS. The domain is on an apache server and is 
accessible by both http (port 80) and https (port 443). One directory 
"htdocs/panel/" contains a control panel, protected by .htpasswd 
usernames and passwords.

I'd like to stop access to this directory on port 80 - so people can 
view the rest of the website WITHOUT having to use https, but people 
using the control panel HAVE TO use https.

Thus, the theory goes, naughty people can't listen in on the 
username/password interactions and mess about with the control panel.

My original questions were thus...

* Should I limit port 80 access using a <Directory> block in 
vhosts.conf? How?
OR
* Should I limit port 80 access using directives in .htaccess? How?
OR
* Are neither of these approaches correct? In which case, what approach 
should I take?

Simple enough!

I got a very helpful reply which suggested that I should doctor 
vhosts.conf thus:

<Directory "/svr/www/htdocs/panel">
         RewriteEngine on
         Options +FollowSymLinks
         Order allow,deny
         Allow from all
         RewriteCond %{SERVER_PORT} !^443$
         RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
</Directory>

This works really well... BUT there's still a security hole!

If someone hits http://server-example.org/panel in an attempt to access 
the control panel, then the first thing that happens is that .htaccess 
asks for the username and password via plain HTTP.

Put the right details in the box, and press go, and the plaintext 
username and password are returned by plain HTTP - exactly the thing I 
want to avoid!

Once that's done, of course, THEN .htaccess asks for the username and 
password AGAIN - this time via HTTPS - which is what we want.

Clearly, I can design the site to encourage people not to hit the panel 
directory directly via http, by, for example, giving the https-only 
control panel directory a a cryptic name, and making a file 
http://server-example.org/panel/index.php which redirects to 
https://server-example.org/panel-with-a-cryptic-name/index.php

However, this seems messy and annoying - and it doesn't fill the 
security hole completely, it just makes it unlikely that the "data leak" 
condition ever happens.

So, here's my followup question...

* Is there a way I can get .htaccess to stay silent and NOT ask for 
username and password UNLESS it's hit by https...
OR
* Should I use a different approach to make sure the communications with 
the panel are encrypted?

Best Regards,

James
=====