|

»

Apache restriction for admin interface...

View: New views

6 Messages — Rating Filter: Alert me

	Apache restriction for admin interface... by Philip Mather-3 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Afternoon, I'm the paranoid type and so after installing and setting up my lovely new drupal site I decided that, with all due respect, I'd feel much more comfortable restricting access to the /admin section with an apache password prompt. I'm sure you've done a very good job and adhered to best practices and got it all implemented right but unfortunately my day job involves on-line casinos and lots of other peoples money and hence I am a fully signed-up, card-carrying member of the tin-foil hat wearing security brigade ;^) Anyway, I looked about and couldn't find anyone who'd implemented this, not on google or this list so I thought I'd share it with you so that I could get some more eyes over it and in case you wanted to add it to you apache config somewhere.. " RewriteEngine on RewriteCond %{QUERY_STRING} q=admin [NC,OR] RewriteCond %{REQUEST_URI} ^/admin$ [NC] RewriteRule (.) $1 [E=admin_request:1] <Files > Order Deny,Allow Deny from env=admin_request AuthName "Drupal Admin" AuthType Basic AuthUserFile /somepath/somewhere/apache.htdigest.user Require user philip.mather Satisfy any </Files> " ...it's not the most trivial of things to implement unless you've used mod_rewrite a fair bit, you'll also need mod_env as well, and perhaps others about to request such a feature will find this before posting. Appologies if this is a repeat or considered off-topic. It should and does (from my testing anyway) catch both the elegant and full URL forms. If anyone spots any problems with it let me know and feel free to re-use it but obviously there's no warranty what-so-ever, you could probably adapt the same to restrict other pages as well I guess. -- Regards, Phil
	Re: Apache restriction for admin interface... by Cameron Eagans :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Why not use http://drupal.org/project/securesite ? ----- Cameron Eagans Owner, Black Storms Studios, LLC http://www.blackstormsstudios.com On Fri, Oct 2, 2009 at 5:58 AM, Philip Mather <phil@...> wrote: Afternoon, I'm the paranoid type and so after installing and setting up my lovely new drupal site I decided that, with all due respect, I'd feel much more comfortable restricting access to the /admin section with an apache password prompt. I'm sure you've done a very good job and adhered to best practices and got it all implemented right but unfortunately my day job involves on-line casinos and lots of other peoples money and hence I am a fully signed-up, card-carrying member of the tin-foil hat wearing security brigade ;^) Anyway, I looked about and couldn't find anyone who'd implemented this, not on google or this list so I thought I'd share it with you so that I could get some more eyes over it and in case you wanted to add it to you apache config somewhere.. " RewriteEngine on RewriteCond %{QUERY_STRING} q=admin [NC,OR] RewriteCond %{REQUEST_URI} ^/admin$ [NC] RewriteRule (.) $1 [E=admin_request:1] <Files > Order Deny,Allow Deny from env=admin_request AuthName "Drupal Admin" AuthType Basic AuthUserFile /somepath/somewhere/apache.htdigest.user Require user philip.mather Satisfy any </Files> " ...it's not the most trivial of things to implement unless you've used mod_rewrite a fair bit, you'll also need mod_env as well, and perhaps others about to request such a feature will find this before posting. Appologies if this is a repeat or considered off-topic. It should and does (from my testing anyway) catch both the elegant and full URL forms. If anyone spots any problems with it let me know and feel free to re-use it but obviously there's no warranty what-so-ever, you could probably adapt the same to restrict other pages as well I guess. -- Regards, Phil
	Re: Apache restriction for admin interface... by Philip Mather-3 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Date: Fri, 2 Oct 2009 06:02:31 -0600 From: Cameron Eagans <cweagans@...> Subject: Re: [development] Apache restriction for admin interface... To: development@... Message-ID: <b83a0f600910020502j5c528760wb507a04c6d91c1c4@...> Content-Type: text/plain; charset="iso-8859-1" Why not use http://drupal.org/project/securesite ? ----- Cameron Eagans Owner, Black Storms Studios, LLC http://www.blackstormsstudios.com <sigh /> <blush /> :^) I honestly did search high and low for something like that, I thought it was odd nobody had already done it. Thank you! -- Regards, Phil
	Re: Apache restriction for admin interface... by Greg Knaddison - GVS :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Fri, Oct 2, 2009 at 6:12 AM, Philip Mather <phil@...> wrote: > > <sigh /> > <blush /> > :^) > > I honestly did search high and low for something like that, I thought it was > odd nobody had already done it. > Thank you! I don't know that I would be so quick to blush - that ties you to Drupal's user system which may or may not be desirable. The Apache basic authentication system is well known and well tested. One benefit to the Apache technique is that you could combine it with other requirements like "only from certain IP addresses" so that you know that people who login have the right username, password and IP. Regardless of whether it is useful in every case - thanks for sharing! Regards, Greg -- Greg Knaddison \| 303-800-5623 \| http://growingventuresolutions.com Cracking Drupal - Learn to protect your Drupal site from hackers Now available from Wiley http://crackingdrupal.com
	Re: Apache restriction for admin interface... by Jennifer Hodgdon :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Philip Mather wrote: > Afternoon, > I'm the paranoid type and so after installing and setting up my lovely > new drupal site I decided that, with all due respect, I'd feel much more > comfortable restricting access to the /admin section with an apache password > prompt. [...] It looks like your solution is somewhat different from the approach of http://drupal.org/project/securesite Would you consider writing up a page for the Drupal Handbook explaining what you did? And maybe mentioning the module above too, and what the differences are, and any other modules you found that have similar aims? It could possibly go under: - Advanced installation http://drupal.org/node/346385 - Beyond the Basics - How Tos http://drupal.org/handbook/customization/howto - Comparisons of contributed modules (if you have several modules to compare) http://drupal.org/node/266179 Anyone with a drupal.org account (which anyone can get) can write a book page. Just navigate to the parent page and click "Add child page" at the bottom. --Jennifer -- Jennifer Hodgdon * Poplar ProductivityWare www.poplarware.com Drupal, WordPress, and custom Web programming
	Re: Apache restriction for admin interface... by Ken Rickard :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I do have a solution in the works that combines the two approaches. I have an abstract IP-address checker that can be used to set control lists based on inbound IP patterns. You could use it in hook_init() to deny access to /admin. To give an idea, here a use-case. -- On user login, if the user name matches user 1, check the IP control list for 'admin login'. -- We then regex the IP (127.0.0.100) vs. a list of valid IPs for that control list. -- The list can contain full octets or partials, with regex patterns \d and 0-9. -- So 127.0.0.100 would match the patterns 127.0 or 127.0.0.10\d. -- On fail, disallow the login. All the module actually does is return boolean TRUE/FALSE for the check, and then cache the results for performance. The cache is wiped when control lists are updated. The control lists are managed through a UI (though they can also be defined in a hook and marked as "uneditable" through the UI). Problem is, the code is unfinished, and needs 20-30 hours of love. If anyone is interested in co-maintaining, I can set up a CVS project. Anyone interested should send me a note off-list. - Ken Rickard agentrickard On Fri, Oct 2, 2009 at 9:19 AM, Jennifer Hodgdon <yahgrp@...> wrote: > Philip Mather wrote: >> >> Afternoon, >> I'm the paranoid type and so after installing and setting up my lovely >> new drupal site I decided that, with all due respect, I'd feel much more >> comfortable restricting access to the /admin section with an apache >> password >> prompt. [...] > > It looks like your solution is somewhat different from the approach of > http://drupal.org/project/securesite > > Would you consider writing up a page for the Drupal Handbook explaining what > you did? And maybe mentioning the module above too, and what the differences > are, and any other modules you found that have similar aims? It could > possibly go under: > - Advanced installation http://drupal.org/node/346385 > - Beyond the Basics - How Tos http://drupal.org/handbook/customization/howto > - Comparisons of contributed modules (if you have several modules to > compare) http://drupal.org/node/266179 > > Anyone with a drupal.org account (which anyone can get) can write a book > page. Just navigate to the parent page and click "Add child page" at the > bottom. > > --Jennifer > > -- > Jennifer Hodgdon * Poplar ProductivityWare > www.poplarware.com > Drupal, WordPress, and custom Web programming > > -- Ken Rickard agentrickard@... http://ken.therickards.com