The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to force secure login to _private folder?

Discussion in 'Security' started by Blakles, Apr 30, 2012.

  1. Blakles

    Blakles Member

    Joined:
    Mar 9, 2012
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    During my latest PCI Compliance scan, one vulnerability that came up was that "web application transmits login credentials without encryption". The two examples it gave were:

    http://www.domain.com/_private/
    http://0.0.0.0/_private/

    In WHM, I have the following security settings in place:

    Require SSL: On
    Enable HTTP Authentication: Off

    I tried to use the following code in the .htaccess file in the _private folder, but it did not work:

    RewriteEngine On
    RewriteCond %{SERVER_PORT} 80
    RewriteCond %{REQUEST_URI} _private
    RewriteRule ^(.*)$ https://www.domain.com/_private/$1 [R,L]

    Can anyone tell me how to force SSL when accessing the _private folder from a browser?
     
  2. freemannn

    freemannn Member

    Joined:
    Dec 17, 2006
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Montreal, QC, Canada
    cPanel Access Level:
    Root Administrator
    Try this (inside the .htaccess file from that folder):
    Code:
    RewriteEngine On
    RewriteCond %{HTTPS} !on
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
    
    This will redirect any http to https so to avoid redirecting everything the .htaccess file has to be only in that folder.
     
  3. Blakles

    Blakles Member

    Joined:
    Mar 9, 2012
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
  4. freemannn

    freemannn Member

    Joined:
    Dec 17, 2006
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Montreal, QC, Canada
    cPanel Access Level:
    Root Administrator

    I tested and is working (Apache 2.2.22 with mod_rewrite enabled). Maybe you did something wrong with the code or server configuration is not allow this.
     
    #4 freemannn, Apr 30, 2012
    Last edited: Apr 30, 2012
  5. Blakles

    Blakles Member

    Joined:
    Mar 9, 2012
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I'm using Apache 2.2.16 and have mod_rewrite enabled. I haven't done anything to the configuration that I can think of.
     
Loading...

Share This Page