[SlugBug] Restricting HTTP in just one directory (followup from
another discussion cut short!)
Chris
chris at slugbug.org.uk
Thu Jan 26 17:53:04 GMT 2006
Hi
On Thu 26-Jan-2006 at 05:37:30PM +0000, James Wallbank wrote:
>
> I have a website with a CMS. The domain is on an apache server and is
> accessible by both http (port 80) and https (port 443). One directory
> "htdocs/panel/" contains a control panel, protected by .htpasswd
> usernames and passwords.
>
> I'd like to stop access to this directory on port 80 - so people can
> view the rest of the website WITHOUT having to use https, but people
> using the control panel HAVE TO use https.
The simple way (and using mod_rewrite is never a simply way ;-) is
simply a Redirect for the port 80 VirtualHost, eg:
Redirect /panel/ https://www.example.org/panel/
> So, here's my followup question...
>
> * Is there a way I can get .htaccess to stay silent and NOT ask for
> username and password UNLESS it's hit by https...
> OR
> * Should I use a different approach to make sure the communications with
> the panel are encrypted?
The Redirect should do the trick, though if you want to put this in a
.htaccess file rather than the actual Apache config file then it's more
complicated -- you would need to check in the env var HTTPS has the
value "on" and if so don't redirect and it the env var doesn't exist
then do the redirect.
Chris
More information about the SlugBug
mailing list