How to password protect root / default webpage

[Greg M]

Hi there,

I am trying to figure out how I can password protect the server hostname default page.

i.e. server.domain.com (which auto forwards to -> /cgi-sys/defaultwebpage.cgi)

The reason I want to do this is because I have installed mod_pagespeed and I am trying to enable its admin GUI.

The problem I have is that for some daft reason I cannot access the /pagespeed_admin/ from a subdomain, such as cache.domain.com - for some reason it just doesn't load up, however it does load from the servers hostname - server.domain.com/pagespeed_admin/

However this would allow anyone who discovers the link to interact with this GUI which is not very secure. I am aware I could restrict it to my IP but I I'd need to access it from various locations, some of which are dynamic IPs

So my hopeful resolution is to password protect server.domain.com.


Is there a way to do this?

Thanks

 

[cPanelMichael]

Hello,

You could manually password protect the directory the script is located at by creating a .htaccess file in the directory and following the instructions discussed on the following third-party URL:

Password protecting a directory and all of it's subfolders using .htaccess

Thank you.

 

[Greg M]

Hi Michael, thanks for the reply.

Just to clarify, I am looking to do this for the root hostname of the server / main IP address.

I believe the correct directory is /var/www/html/ (checked this by editing the main html page that calls the default system cgi page) however when adding an htaccess file it doesn't seem to have an effect?

Thanks

 

[Greg M]

I actually managed to work it out,

I had to add

<Directory "/var/www/html/">
  Options Indexes FollowSymLinks MultiViews
  AllowOverride AuthConfig
  Order allow,deny
  Allow from all
</Directory>

to the Pre main include - I was avoiding updating httpd.conf direct.

Seems to be working great now



EDIT: IF anyone is attempting this, I had to put my passwd file within the /var/www/.passwds/ directory and set the folder to 755 permissions otherwise the file was unreadable by apache

 

[cPanelMichael]

Hello,

Keep in mind you may want to upload your custom script to a subdirectory within "/var/www/html/" and apply the workaround to the specific subdirectory (e.g. /var/www/html/directory-name). Otherwise, access attempts to the other templates (e.g. suspended page, error documents) will require authentication.

Thank you.

 

[Greg M]

Hi Michael,


Thank you for the response, because I am using mod_pagespeed there is no actual physical directory created (that I can find) which is why I am having to protect the root level.

However in terms of what you were saying I suspended an unused account and accessed it via private tab in different browser and it did not require any authentication for the suspended page so I don't think I will have any issues?

 

[cPanelMichael]

However in terms of what you were saying I suspended an unused account and accessed it via private tab in different browser and it did not require any authentication for the suspended page so I don't think I will have any issues?

In that case, no further steps should be required.

Thank you.

 

[Greg M]

Hi Michael,

Thanks for that, I will keep an eye on it just incase there are issues further down the line.

Thanks

Greg

 

[Greg M]

Hi Michael,

Turned out that this did indeed cause an issue,

server lfd[1410]: STATS: Unable to retrieve Apache Server Status [http://127.0.0.1/whm-server-status?auto] - Unable to download: Unauthorized

Turns out creating a /pagespeed_global_admin/ directory in the apache root and password protecting that works even though pagespeed doesnt physically reside there. I had originally though this would have caused an issue but that seems to be the full solution !