{"id":2151,"date":"2016-12-17T20:55:14","date_gmt":"2016-12-18T01:55:14","guid":{"rendered":"http:\/\/www.ikriv.com\/blog\/?p=2151"},"modified":"2016-12-17T20:58:37","modified_gmt":"2016-12-18T01:58:37","slug":"apache-how-to-properly-secure-a-folder","status":"publish","type":"post","link":"https:\/\/ikriv.com\/blog\/?p=2151","title":{"rendered":"Apache: how to properly secure a folder"},"content":{"rendered":"<p>Here&#8217;s the scenario: the folder named &#8220;secure&#8221; contains sensitive data and should be protected by user name and password. To redirect all HTTP requests to HTTPS and enforce basic authentication for the folder, add the following to <code>httpd.conf<\/code> (<code>etc\/apache2\/sites-enabled\/000-default.conf<\/code> on Ubuntu):<br \/>\n<!--more--><\/p>\n<pre class=\"brush: xml; title: ; notranslate\" title=\"\">\r\n&lt;Directory \/var\/www\/html\/secure&gt;\r\nSSLOptions +StrictRequire\r\nSSLRequireSSL\r\nErrorDocument 403 \/https.php\r\nAuthName 'Enter your user name and password:'\r\nAuthType Basic\r\nAuthUserFile \/path\/to\/.htpasswd\r\nRequire valid-user\r\n&lt;\/Directory&gt;\r\n<\/pre>\n<p>Create <code>https.php<\/code> file with this code:<\/p>\n<pre class=\"brush: php; title: ; notranslate\" title=\"\">&lt;?php\r\n$path = &quot;https:\/\/&quot;.$_SERVER&#x5B;'SERVER_NAME'].$_SERVER&#x5B;'REQUEST_URI'];\r\nif ( $_SERVER&#x5B;'SERVER_PORT'] != 443) {\r\n    header(&quot;Status: 302 Moved\\n&quot;);\r\n    header(&quot;Location: &quot;.$path.&quot;\\n\\n&quot;);\r\n}\r\nelse {\r\n    header( &quot;Content-type: text\/html\\n\\n&quot;);\r\n    echo &quot;&lt;html&gt;&lt;body&gt;&lt;h1&gt;Access denied&lt;\/h1&gt;&lt;\/body&gt;&lt;\/html&gt;&quot;;\r\n}?&gt;<\/pre>\n<p>Make sure <code>https.php<\/code> is in a directory not protected by authentication, and when you&#8217;re done, don&#8217;t forget to restart Apache.<\/p>\n<h2>Why basic authentication?<\/h2>\n<p>Outside of enterprise environments, basic authentication over HTTPS is the only practical option. Digest authentication has less browser support and is <a href=\"https:\/\/en.wikipedia.org\/wiki\/Digest_access_authentication#Disadvantages\">only slightly more secure<\/a>. Basic authentication over HTTP will send the password in the clear, which is probably worse than not having a password at all: many people use the same password for multiple things. <\/p>\n<h2>Why not to use rewrites?<\/h2>\n<p>Many web sites suggest to add rewrite rules that would automatically redirect all HTTP requests to HTTPS, along the lines of <\/p>\n<pre class=\"brush: xml; title: ; notranslate\" title=\"\">\r\nRewriteEngine On\r\nRewriteCond %{HTTPS} off\r\nRewriteRule ^(.*)$ https:\/\/%{HTTP_HOST}%{REQUEST_URI} &#x5B;L,R=301]\r\n<\/pre>\n<p>Unfortunately, this won&#8217;t work with <code>SSLRequireSSL<\/code>. If the user tries to access http:\/\/mysite.com\/secure, he will get error 403 Forbidden before the rewrite rules have a chance to kick in. It is possible to remove <code>SSLRequireSSL<\/code>, but then there is a high risk of accidentally allowing HTTP access and even running basic authentication over HTTP instead of HTTPS, which is totally not something with should do.<\/p>\n<p>So, we replace Apache rewriting rules with a PHP script that essentially does the same thing, and designate it as an error document for 403 Forbidden. HTTPS users get straight through to authentication, while HTTP users are redirect to the error document due to 403 error, and the PHP code in <code>https.php<\/code> redirects them to HTTPS, nice and sweet.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Here&#8217;s the scenario: the folder named &#8220;secure&#8221; contains sensitive data and should be protected by user name and password. To redirect all HTTP requests to HTTPS and enforce basic authentication <a href=\"https:\/\/ikriv.com\/blog\/?p=2151\" class=\"more-link\">[&hellip;]<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"Layout":"","footnotes":""},"categories":[4,15],"tags":[],"class_list":["entry","author-ikriv","has-more-link","post-2151","post","type-post","status-publish","format-standard","category-hack","category-webdev"],"_links":{"self":[{"href":"https:\/\/ikriv.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2151","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ikriv.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ikriv.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ikriv.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ikriv.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2151"}],"version-history":[{"count":15,"href":"https:\/\/ikriv.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2151\/revisions"}],"predecessor-version":[{"id":2166,"href":"https:\/\/ikriv.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2151\/revisions\/2166"}],"wp:attachment":[{"href":"https:\/\/ikriv.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2151"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ikriv.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2151"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ikriv.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2151"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}