Why not use <a href="http://drupal.org/project/securesite">http://drupal.org/project/securesite</a> ?<br clear="all">-----<br>Cameron Eagans<br>Owner, Black Storms Studios, LLC<br><a href="http://www.blackstormsstudios.com">http://www.blackstormsstudios.com</a><br>
<br><br><div class="gmail_quote">On Fri, Oct 2, 2009 at 5:58 AM, Philip Mather <span dir="ltr"><<a href="mailto:phil@philipmather.me.uk">phil@philipmather.me.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Afternoon,<br> I'm the paranoid type and so after installing and setting up my lovely new drupal site I decided that, with all due respect, I'd feel much more comfortable restricting access to the /admin section with an apache password prompt. I'm sure you've done a very good job and adhered to best practices and got it all implemented right but unfortunately my day job involves on-line casinos and lots of other peoples money and hence I am a fully signed-up, card-carrying member of the tin-foil hat wearing security brigade ;^)<br>
Anyway, I looked about and couldn't find anyone who'd implemented this, not on google or this list so I thought I'd share it with you so that I could get some more eyes over it and in case you wanted to add it to you apache config somewhere..<br>
<br>"<br> RewriteEngine on<br> RewriteCond %{QUERY_STRING} q=admin [NC,OR]<br> RewriteCond %{REQUEST_URI} ^/admin$ [NC]<br> RewriteRule (.*) $1 [E=admin_request:1]<br><br> <Files *><br> Order Deny,Allow<br>
Deny from env=admin_request<br><br> AuthName "Drupal Admin"<br> AuthType Basic<br> AuthUserFile /somepath/somewhere/apache.htdigest.user<br><br> Require user philip.mather<br>
Satisfy any<br> </Files><br>"<br><br>...it's not the most trivial of things to implement unless you've used mod_rewrite a fair bit, you'll also need mod_env as well, and perhaps others about to request such a feature will find this before posting. Appologies if this is a repeat or considered off-topic. It should and does (from my testing anyway) catch both the elegant and full URL forms. If anyone spots any problems with it let me know and feel free to re-use it but obviously there's no warranty what-so-ever, you could probably adapt the same to restrict other pages as well I guess.<br clear="all">
<font color="#888888">
<br>-- <br>Regards,<br> Phil<br>
</font></blockquote></div><br>