Why not use http://drupal.org/project/securesite ? ----- Cameron Eagans Owner, Black Storms Studios, LLC http://www.blackstormsstudios.com
On Fri, Oct 2, 2009 at 5:58 AM, Philip Mather <[email protected]>wrote: > Afternoon, > I'm the paranoid type and so after installing and setting up my lovely > new drupal site I decided that, with all due respect, I'd feel much more > comfortable restricting access to the /admin section with an apache password > prompt. I'm sure you've done a very good job and adhered to best practices > and got it all implemented right but unfortunately my day job involves > on-line casinos and lots of other peoples money and hence I am a fully > signed-up, card-carrying member of the tin-foil hat wearing security brigade > ;^) > Anyway, I looked about and couldn't find anyone who'd implemented this, > not on google or this list so I thought I'd share it with you so that I > could get some more eyes over it and in case you wanted to add it to you > apache config somewhere.. > > " > RewriteEngine on > RewriteCond %{QUERY_STRING} q=admin [NC,OR] > RewriteCond %{REQUEST_URI} ^/admin$ [NC] > RewriteRule (.*) $1 [E=admin_request:1] > > <Files *> > Order Deny,Allow > Deny from env=admin_request > > AuthName "Drupal Admin" > AuthType Basic > AuthUserFile /somepath/somewhere/apache.htdigest.user > > Require user philip.mather > Satisfy any > </Files> > " > > ...it's not the most trivial of things to implement unless you've used > mod_rewrite a fair bit, you'll also need mod_env as well, and perhaps others > about to request such a feature will find this before posting. Appologies if > this is a repeat or considered off-topic. It should and does (from my > testing anyway) catch both the elegant and full URL forms. If anyone spots > any problems with it let me know and feel free to re-use it but obviously > there's no warranty what-so-ever, you could probably adapt the same to > restrict other pages as well I guess. > > -- > Regards, > Phil >
