[SlugBug] Restricting HTTP in just one directory (followup from another discussion cut short!)

James Wallbank james at lowtech.org
Thu Jan 26 19:08:42 GMT 2006 

Hello Chris,

Thanks for the advice...

I'm not sure _exactly_ what you're recommending, but I had a go...

I left the <Directory> block that uses mod_rewrite intact, in vhosts.conf.

I have added the Redirect line you described to vhosts.conf, inside the 
<VirtualHost> block, but outside the <Directory> block.

httpd didn't seem to choke when I reloaded the configuartion file, but 
exactly the same behaviour is exhibited - if I hit the panel on port 80, 
htaccess prompts me for a username and password BEFORE redirecting me to 
port 443.

I guess the problem is that Apache deals with .htaccess BEFORE it thinks 
about redirection.

Does this make sense? Have I entirely misunderstood your recommendation?

Thanks for your help.

James
=====

Chris wrote:
> Hi
> 
> On Thu 26-Jan-2006 at 05:37:30PM +0000, James Wallbank wrote:
> 
>>I have a website with a CMS. The domain is on an apache server and is
>>accessible by both http (port 80) and https (port 443). One directory
>>"htdocs/panel/" contains a control panel, protected by .htpasswd
>>usernames and passwords.
>>
>>I'd like to stop access to this directory on port 80 - so people can
>>view the rest of the website WITHOUT having to use https, but people
>>using the control panel HAVE TO use https.
> 
> 
> The simple way (and using mod_rewrite is never a simply way ;-) is
> simply a Redirect for the port 80 VirtualHost, eg:
> 
>   Redirect /panel/ https://www.example.org/panel/ 
> 
> 
>>So, here's my followup question...
>>
>>* Is there a way I can get .htaccess to stay silent and NOT ask for 
>>username and password UNLESS it's hit by https...
>>OR
>>* Should I use a different approach to make sure the communications with 
>>the panel are encrypted?
> 
> 
> The Redirect should do the trick, though if you want to put this in a
> .htaccess file rather than the actual Apache config file then it's more
> complicated -- you would need to check in the env var HTTPS has the
> value "on" and if so don't redirect and it the env var doesn't exist
> then do the redirect.
> 
> Chris
> 
> _______________________________________________
> SlugBug mailing list
> SlugBug at email-lists.org
> https://www.email-lists.org/mailman/listinfo/slugbug
>

More information about the SlugBug mailing list