[SlugBug] Restricting HTTP in just one directory (followup from
another discussion cut short!)
James Wallbank
james at lowtech.org
Thu Jan 26 19:08:42 GMT 2006
Hello Chris,
Thanks for the advice...
I'm not sure _exactly_ what you're recommending, but I had a go...
I left the <Directory> block that uses mod_rewrite intact, in vhosts.conf.
I have added the Redirect line you described to vhosts.conf, inside the
<VirtualHost> block, but outside the <Directory> block.
httpd didn't seem to choke when I reloaded the configuartion file, but
exactly the same behaviour is exhibited - if I hit the panel on port 80,
htaccess prompts me for a username and password BEFORE redirecting me to
port 443.
I guess the problem is that Apache deals with .htaccess BEFORE it thinks
about redirection.
Does this make sense? Have I entirely misunderstood your recommendation?
Thanks for your help.
James
=====
Chris wrote:
> Hi
>
> On Thu 26-Jan-2006 at 05:37:30PM +0000, James Wallbank wrote:
>
>>I have a website with a CMS. The domain is on an apache server and is
>>accessible by both http (port 80) and https (port 443). One directory
>>"htdocs/panel/" contains a control panel, protected by .htpasswd
>>usernames and passwords.
>>
>>I'd like to stop access to this directory on port 80 - so people can
>>view the rest of the website WITHOUT having to use https, but people
>>using the control panel HAVE TO use https.
>
>
> The simple way (and using mod_rewrite is never a simply way ;-) is
> simply a Redirect for the port 80 VirtualHost, eg:
>
> Redirect /panel/ https://www.example.org/panel/
>
>
>>So, here's my followup question...
>>
>>* Is there a way I can get .htaccess to stay silent and NOT ask for
>>username and password UNLESS it's hit by https...
>>OR
>>* Should I use a different approach to make sure the communications with
>>the panel are encrypted?
>
>
> The Redirect should do the trick, though if you want to put this in a
> .htaccess file rather than the actual Apache config file then it's more
> complicated -- you would need to check in the env var HTTPS has the
> value "on" and if so don't redirect and it the env var doesn't exist
> then do the redirect.
>
> Chris
>
> _______________________________________________
> SlugBug mailing list
> SlugBug at email-lists.org
> https://www.email-lists.org/mailman/listinfo/slugbug
>
More information about the SlugBug
mailing list