[development] Apache restriction for admin interface...

Cameron Eagans cweagans at gmail.com
Fri Oct 2 12:02:31 UTC 2009 

Why not use http://drupal.org/project/securesite  ?
-----
Cameron Eagans
Owner, Black Storms Studios, LLC
http://www.blackstormsstudios.com


On Fri, Oct 2, 2009 at 5:58 AM, Philip Mather <phil at philipmather.me.uk>wrote:

> Afternoon,
>    I'm the paranoid type and so after installing and setting up my lovely
> new drupal site I decided that, with all due respect, I'd feel much more
> comfortable restricting access to the /admin section with an apache password
> prompt. I'm sure you've done a very good job and adhered to best practices
> and got it all implemented right but unfortunately my day job involves
> on-line casinos and lots of other peoples money and hence I am a fully
> signed-up, card-carrying member of the tin-foil hat wearing security brigade
> ;^)
>    Anyway, I looked about and couldn't find anyone who'd implemented this,
> not on google or this list so I thought I'd share it with you so that I
> could get some more eyes over it and in case you wanted to add it to you
> apache config somewhere..
>
> "
>     RewriteEngine on
>     RewriteCond %{QUERY_STRING} q=admin [NC,OR]
>     RewriteCond %{REQUEST_URI} ^/admin$ [NC]
>     RewriteRule  (.*) $1 [E=admin_request:1]
>
>     <Files *>
>         Order Deny,Allow
>         Deny from env=admin_request
>
>         AuthName "Drupal Admin"
>         AuthType Basic
>         AuthUserFile /somepath/somewhere/apache.htdigest.user
>
>         Require user philip.mather
>         Satisfy any
>     </Files>
> "
>
> ...it's not the most trivial of things to implement unless you've used
> mod_rewrite a fair bit, you'll also need mod_env as well, and perhaps others
> about to request such a feature will find this before posting. Appologies if
> this is a repeat or considered off-topic. It should and does (from my
> testing anyway) catch both the elegant and full URL forms. If anyone spots
> any problems with it let me know and feel free to re-use it but obviously
> there's no warranty what-so-ever, you could probably adapt the same to
> restrict other pages as well I guess.
>
> --
> Regards,
>   Phil
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.drupal.org/pipermail/development/attachments/20091002/5bb95c26/attachment-0001.htm>

More information about the development mailing list