Securing part of a Drupal site with .htaccess/.htpasswd

Hello Experts,

I have a Drupal site that is set up with friendly urls. The customer would like to add an extra layer of protection and secure any page that has /admin in it with basic authentication through Apache (.htaccess/.htpasswd).  

So what I've done so far is set up a /admin folder and placed a .htaccess file in there with the contents:

AuthUserFile /path/to/.htpasswd
AuthType Basic
AuthName "Admin Login"
Require valid-user

rewriteengine on
RewriteRule ^(.*)$ /index.php?q=/admin/$1 [L,QSA]

This works just fine. You go anywhere in /admin/* and it prompts for a login through Apache.

However, if you modify the url to Drupal's typical page call model:

http://localhost/admin/user/user/list 
say to:  
http://localhost/index.php?q=/admin/user/user/list

You don't get prompted for the login, which is obvious because you're never taken into the /admin folder. Any thoughts on how I could secure the direct call to index.php as well?

Thanks,
Pete

LVL 4
upandrun3Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Maciej SsysadminCommented:
Try securesite module (http://drupal.org/project/securesite).
0
upandrun3Author Commented:
Hi Oklit,

Thanks for the posting, however, my customer was looking for a solution that was completely independent of Drupal. I was thinking Apache would be a logical choice with it's authentication system. Any other thoughts or something that is strictly an apache based solution?

Thanks,
Pete
0
letharionCommented:
I'm familiar with drupal, not very much so with apache, but couldn't

rewriteengine on
RewriteRule ^(.*)$ /index.php?q=/admin/$1 [L,QSA]

be copied into something like,

rewriteengine on
RewriteRule ^(.*)$ /index.php/admin/$1 [L,QSA]

and then you'd have two rules, one for clean urls, and with.
You could also completely disable clean urls in Drupal, either "soft" in Drupal settings, or "hard" by removing the rewrite rule that creates the clean urls. (.htaccess in the drupal base folder)
Keep in mind that if you alter the .htaccess file, and upgrade Drupal core, you risk overwritting the .htaccess with a new one that does allow clean urls again.
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

RobertPopeCommented:
Hey - install the global redirects module - it forces all url's to go to the best "clean" version.  Should take care of you.  

http://localhost/index.php?q=/admin/user/user/list  would be redirected to the clean equivalent

Robert
0
RobertPopeCommented:
The module's URL is here

http://drupal.org/project/globalredirect
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
upandrun3Author Commented:
Hi RobertPope,

I'm looking into this. If this can stop unclean urls from working, then my htaccess hack will work and not be bypassed, which would solve the issue. I'm trying this now.

Thanks,
Pete
0
RobertPopeCommented:
Thanks - curious to know how it turns out.  Just out of curiosity what happens if you just go to /admin with your hack?  I'd imagine you'd get a forbidden error or something?
0
upandrun3Author Commented:
Using his solution and my original .htaccess file changes, I got the behavior I wanted.  

When going to /admin, it does produce a forbidden error though.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Drupal

From novice to tech pro — start learning today.