Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Password Authentication with SSL


n3m

Recommended Posts

Posted

Here's another way in protecting your /admin directory but with SSL (HTTPS).

 

As with Linux/UNIX systems, there are several methods to do this, but this sample worked for me, so I thought I would share it.

 

The following sample is from my "httpd.conf" file, which will password protect your admin directory and force your browser to use HTTPS on your /admin directory. This does work, as I have it working on my Apache-SSL server, and is easy to do!

Assuming of course your running SSL.

 

And is case your wondering, this will not affect /path_to/catalog directory whatsoever.

 

In Three Steps!

 

Step 1.

 

add the following to your httpd.conf file:

 

# insert this code after your default DocumentRoot section

# <Directory "/path_to/www/htdocs">

# <truncated>

# </Directory>

 

RewriteEngine on

RewriteCond %{REQUEST_URI} ^/yourdir.*$

RewriteCond %{SERVER_PORT} ^80$

RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R]

 

<Directory "/path_to/www/htdocs/admin">

SSLRequireSSL

AuthType Basic

AuthName "Restricted Access Only"

AuthUserFile /path_to/www/htdocs/admin/.htpasswd

Require user test

</Directory>[/

 

Step 2.

 

Create ".htpasswd" file to store username and password

 

shell> touch /path_to/www/htdocs/admin/.htpasswd

shell> vi /path_to/www/htdocs/admin/.htpasswd

 

In the file type in a username and a password:

 

yourname:EnCrYPtedP@$$w0RD

 

Note: to do this you will need to use the "handy dandy" tool in order to encrypt your password

 

Just enter a username you want to use and put in a password, click "calculate" and it will convert your password for you ...cut in paste it into your .htpasswd file.

 

Step 3.

 

Restart Apache:

 

shell> /path_to/apache/bin/apachectl restart

 

Viola! Try it out!

n3m,

__

| w Digital information lasts forever, or five years

| - whichever comes first.

|___________________________________________

  • 2 weeks later...
Posted

Okay! DISREGARD my previous instructions!!! I APOLOGIZE! I'm a doofus, I admit ...I should have tested this further. So, like I said, this configuration will not affect your /catalog directory ...and it doesn't. However, I just come to find out that it does affect you /ADMIN directory! It breaks it ...DOH!

 

So here's the CORRECTED configuration ...this time TESTED!

 

Once again ...assume the following:

:lol: OS=*nix, Web=Apache

:rolleyes: your /ADMIN has been renamed to a secret name (as HIGHLY recommended)

:blink: /ADMIN will be used for this example

:P SSL is installed, configured and running

 

Step 1

Edit your configure.php file:

/path_to/admin/includes/configure.php

 

Edit Line # 16

  define('HTTP_SERVER', 'http://www.yourdomain.com');

  -change it to-

  define('HTTP_SERVER', 'https://www.yourdomain.com');

This will link all pages in your /ADMIN directory to use SSL (HTTPS)

 

Step 2

Create a ".htaccess" file inside your ADMIN directory, and enter the following lines:

    SSLRequireSSL  //this forces SSL only to directory

    AuthType Basic

    AuthName "Restricted Access Only"

    AuthUserFile /path_to/htdocs/admin/.htpasswd

    Require user username

The trick is to use SSLRequireSSL, this forces SSL only to the directory and not regular HTTP. So, if you try to enter http only, you should get a "Unauthorized" page ...which is a good thing!

 

Step 3

Create /path_to/admin/.htpasswd (or name it what you want), and create a username and password inside the file. You can use this handy dandy tool to encrypt your password entry.

 

Just enter a username you want to use and put in a password, click "calculate" and it will convert your password for you ...cut in paste it into your .htpasswd file.

 

Example of ".htpasswd" file:

username:3NCrYP+P@$$w0Rd!

 

Step 4

Restart Apache:

shell> /path_to/apache/bin/apachectl restart

 

Viola!

n3m,

__

| w Digital information lasts forever, or five years

| - whichever comes first.

|___________________________________________

Posted
:rolleyes: your /ADMIN has been renamed to a secret name (as HIGHLY recommended)

:blink: /ADMIN will be used for this example

How would I rename the admin folder? Can I just go to any ftp client and rename it? would it not make some functions work properly?

 

Thanks

Posted

you could rename the folder using a ftp client i suppose? but normally you would do it locally ...BUT keep in mine, the only reason you are renaming the admin folder is for security reasons, you don't want to leave the default name (that everyone knows)

 

...anyway, after you rename it, you would also have to manually edit the path and new name in the configure.php file.

 

hope that helps

n3m,

__

| w Digital information lasts forever, or five years

| - whichever comes first.

|___________________________________________

  • 3 months later...
Posted

How can i restart apache. i dont know how to do that. it?s a url? explain me please

Posted

Yeyas, norcalgrom is correct ...if you convert to SSL (HTTPS), you need to change your url from http:// to https://

 

- hope that helps!

n3m,

__

| w Digital information lasts forever, or five years

| - whichever comes first.

|___________________________________________

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...