Monthly Archives: November 2009

How to secure selectively admin location

Securing the admin part of the site is always tricky, especially for open source software CMS. A very good practice is to protect your admin directory with an extra .htaccess, because most of the damages has been done from exploits of the applications rather than brute force cracking.

There are many articles how to set up .htaccess authentication on Apache web server, but here I will explain how to set an extra password request only for Internet users while the users from Local Network should spare the extra password.

The scenario:
When the user in in the local network the administration part need to be accessible with the CMS default authentication, while if the user access the Administration from Internet, an extra password prompt will be shown.

1. Create your password file

# htpasswd -c /your_secret_location/.htpassword user
New password:
Re-type new password:
Adding password for user user

If you writing in an existing file don’t use the option -c

2. Setting the .htaccess
Depending of the server set up you can do this in your httpd.conf, or in apache2 style – in sites-available directory. So, let’s say we have a file in /etc/apache/sites-available called which holds the record of the domain

<VirtualHost *:80>
        <Location /admin>
                 AuthType Basic
                 AuthName intranet
                 Satisfy any
                 Allow from 192.168
                 Order allow,deny
                 AuthUserFile /your_secret_location/.htpasswd
                 Require valid-user

Here is the tricky part: The directive “Satisfy any”. By default the directive is set to all so it’s like AND:
If (you are in local net AND you are valid user) {access the location}

while Satisfy any is like OR
If (you are in local net OR you are valid user) {access the location}

More on this topic: Satisfy directive