[development] Apache restriction for admin interface...

[Philip Mather]

Afternoon,
   I'm the paranoid type and so after installing and setting up my lovely
new drupal site I decided that, with all due respect, I'd feel much more
comfortable restricting access to the /admin section with an apache password
prompt. I'm sure you've done a very good job and adhered to best practices
and got it all implemented right but unfortunately my day job involves
on-line casinos and lots of other peoples money and hence I am a fully
signed-up, card-carrying member of the tin-foil hat wearing security brigade
;^)
   Anyway, I looked about and couldn't find anyone who'd implemented this,
not on google or this list so I thought I'd share it with you so that I
could get some more eyes over it and in case you wanted to add it to you
apache config somewhere..

"
    RewriteEngine on
    RewriteCond %{QUERY_STRING} q=admin [NC,OR]
    RewriteCond %{REQUEST_URI} ^/admin$ [NC]
    RewriteRule  (.*) $1 [E=admin_request:1]

    <Files *>
        Order Deny,Allow
        Deny from env=admin_request

        AuthName "Drupal Admin"
        AuthType Basic
        AuthUserFile /somepath/somewhere/apache.htdigest.user

        Require user philip.mather
        Satisfy any
    </Files>
"

...it's not the most trivial of things to implement unless you've used
mod_rewrite a fair bit, you'll also need mod_env as well, and perhaps others
about to request such a feature will find this before posting. Appologies if
this is a repeat or considered off-topic. It should and does (from my
testing anyway) catch both the elegant and full URL forms. If anyone spots
any problems with it let me know and feel free to re-use it but obviously
there's no warranty what-so-ever, you could probably adapt the same to
restrict other pages as well I guess.

-- 
Regards,
  Phil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.drupal.org/pipermail/development/attachments/20091002/c7074b7d/attachment.htm>