Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

How to force secure login to _private folder?

Discussion in 'Security' started by Blakles, Apr 30, 2012.

  1. Blakles

    Blakles Member

    Joined:
    Mar 9, 2012
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    During my latest PCI Compliance scan, one vulnerability that came up was that "web application transmits login credentials without encryption". The two examples it gave were:

    http://www.domain.com/_private/
    http://0.0.0.0/_private/

    In WHM, I have the following security settings in place:

    Require SSL: On
    Enable HTTP Authentication: Off

    I tried to use the following code in the .htaccess file in the _private folder, but it did not work:

    RewriteEngine On
    RewriteCond %{SERVER_PORT} 80
    RewriteCond %{REQUEST_URI} _private
    RewriteRule ^(.*)$ https://www.domain.com/_private/$1 [R,L]

    Can anyone tell me how to force SSL when accessing the _private folder from a browser?
     
  2. freemannn

    freemannn Member

    Joined:
    Dec 17, 2006
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    Montreal, QC, Canada
    cPanel Access Level:
    Root Administrator
    Try this (inside the .htaccess file from that folder):
    Code:
    RewriteEngine On
    RewriteCond %{HTTPS} !on
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
    
    This will redirect any http to https so to avoid redirecting everything the .htaccess file has to be only in that folder.
     
  3. Blakles

    Blakles Member

    Joined:
    Mar 9, 2012
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
  4. freemannn

    freemannn Member

    Joined:
    Dec 17, 2006
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    Montreal, QC, Canada
    cPanel Access Level:
    Root Administrator

    I tested and is working (Apache 2.2.22 with mod_rewrite enabled). Maybe you did something wrong with the code or server configuration is not allow this.
     
    #4 freemannn, Apr 30, 2012
    Last edited: Apr 30, 2012
  5. Blakles

    Blakles Member

    Joined:
    Mar 9, 2012
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    I'm using Apache 2.2.16 and have mod_rewrite enabled. I haven't done anything to the configuration that I can think of.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice