• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1642
  • Last Modified:

Securing part of a Drupal site with .htaccess/.htpasswd

Hello Experts,

I have a Drupal site that is set up with friendly urls. The customer would like to add an extra layer of protection and secure any page that has /admin in it with basic authentication through Apache (.htaccess/.htpasswd).  

So what I've done so far is set up a /admin folder and placed a .htaccess file in there with the contents:

AuthUserFile /path/to/.htpasswd
AuthType Basic
AuthName "Admin Login"
Require valid-user

rewriteengine on
RewriteRule ^(.*)$ /index.php?q=/admin/$1 [L,QSA]

This works just fine. You go anywhere in /admin/* and it prompts for a login through Apache.

However, if you modify the url to Drupal's typical page call model:

http://localhost/admin/user/user/list 
say to:  
http://localhost/index.php?q=/admin/user/user/list

You don't get prompted for the login, which is obvious because you're never taken into the /admin folder. Any thoughts on how I could secure the direct call to index.php as well?

Thanks,
Pete

0
upandrun3
Asked:
upandrun3
1 Solution
 
Maciej SsysadminCommented:
Try securesite module (http://drupal.org/project/securesite).
0
 
upandrun3Author Commented:
Hi Oklit,

Thanks for the posting, however, my customer was looking for a solution that was completely independent of Drupal. I was thinking Apache would be a logical choice with it's authentication system. Any other thoughts or something that is strictly an apache based solution?

Thanks,
Pete
0
 
letharionCommented:
I'm familiar with drupal, not very much so with apache, but couldn't

rewriteengine on
RewriteRule ^(.*)$ /index.php?q=/admin/$1 [L,QSA]

be copied into something like,

rewriteengine on
RewriteRule ^(.*)$ /index.php/admin/$1 [L,QSA]

and then you'd have two rules, one for clean urls, and with.
You could also completely disable clean urls in Drupal, either "soft" in Drupal settings, or "hard" by removing the rewrite rule that creates the clean urls. (.htaccess in the drupal base folder)
Keep in mind that if you alter the .htaccess file, and upgrade Drupal core, you risk overwritting the .htaccess with a new one that does allow clean urls again.
0
Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

 
RobertPopeCommented:
Hey - install the global redirects module - it forces all url's to go to the best "clean" version.  Should take care of you.  

http://localhost/index.php?q=/admin/user/user/list  would be redirected to the clean equivalent

Robert
0
 
RobertPopeCommented:
The module's URL is here

http://drupal.org/project/globalredirect
0
 
upandrun3Author Commented:
Hi RobertPope,

I'm looking into this. If this can stop unclean urls from working, then my htaccess hack will work and not be bypassed, which would solve the issue. I'm trying this now.

Thanks,
Pete
0
 
RobertPopeCommented:
Thanks - curious to know how it turns out.  Just out of curiosity what happens if you just go to /admin with your hack?  I'd imagine you'd get a forbidden error or something?
0
 
upandrun3Author Commented:
Using his solution and my original .htaccess file changes, I got the behavior I wanted.  

When going to /admin, it does produce a forbidden error though.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now