How to force secure login to _private folder?

Blakles

Member
Mar 9, 2012
10
0
51
cPanel Access Level
Root Administrator
During my latest PCI Compliance scan, one vulnerability that came up was that "web application transmits login credentials without encryption". The two examples it gave were:

http://www.domain.com/_private/
http://0.0.0.0/_private/

In WHM, I have the following security settings in place:

Require SSL: On
Enable HTTP Authentication: Off

I tried to use the following code in the .htaccess file in the _private folder, but it did not work:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} _private
RewriteRule ^(.*)$ https://www.domain.com/_private/$1 [R,L]

Can anyone tell me how to force SSL when accessing the _private folder from a browser?
 

freemannn

Member
Dec 17, 2006
6
0
151
Montreal, QC, Canada
cPanel Access Level
Root Administrator
During my latest PCI Compliance scan, one vulnerability that came up was that "web application transmits login credentials without encryption". The two examples it gave were:

http://www.domain.com/_private/
http://0.0.0.0/_private/

In WHM, I have the following security settings in place:

Require SSL: On
Enable HTTP Authentication: Off

I tried to use the following code in the .htaccess file in the _private folder, but it did not work:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} _private
RewriteRule ^(.*)$ https://www.domain.com/_private/$1 [R,L]

Can anyone tell me how to force SSL when accessing the _private folder from a browser?
Try this (inside the .htaccess file from that folder):
Code:
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
This will redirect any http to https so to avoid redirecting everything the .htaccess file has to be only in that folder.
 

Blakles

Member
Mar 9, 2012
10
0
51
cPanel Access Level
Root Administrator

freemannn

Member
Dec 17, 2006
6
0
151
Montreal, QC, Canada
cPanel Access Level
Root Administrator
Thank you for the reply freemannn. That doesn't quite work for me though. When the code you provided is placed in the .htaccess file that is located within the _private folder I get these results:

http://domain.com/_private -> https://www.domain.com/500.shtml
http://www.domain.com/_private -> A pop-up box asks for login credentials with HTTP
http://0.0.0.0/_private -> A pop-up box asks for login credentials with HTTP

I tested and is working (Apache 2.2.22 with mod_rewrite enabled). Maybe you did something wrong with the code or server configuration is not allow this.
 
Last edited:

Blakles

Member
Mar 9, 2012
10
0
51
cPanel Access Level
Root Administrator
I tested and is working (Apache 2.2.22 with mod_rewrite enabled). Maybe you did something wrong with the code or server configuration is not allow this.
I'm using Apache 2.2.16 and have mod_rewrite enabled. I haven't done anything to the configuration that I can think of.