# Securing directories with mod_ssl

## Wackie

I recently installed apache with mod_php (with mysql), mod_ssl and mysql.

To control all of this, I'm using PHPmyadmin.

For security reasons, I already added htaccess on the dir (/home/httpd/htdocs/phpmyadmin).

I can connect to the localhost/phpmyadmin via ssl:

phpmyadmin shows up, after entering https://localhost/phpmyadmin

But I can also enter the dir unsecure via http, I tried to force the users only connecting to this dir using https, altering apache.conf, but it didn't seem to work.

I added the following to /etc/apache/conf/apache.conf:

[code]

SSLEngine on

-- cutting code --

<Directory /home/httpd/phpmyadmin>

SSLRequireSSL

SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128

</Directory>

but that didn't seem to work, since if I restart apache, it tells me, it can't be restarted gracefully due to an incorrect config file.

How do I secure this directory?

----------

## rac

What I do is to have completely a different DocumentRoot for the http and https servers.

----------

## Wackie

So the best thing I can do, is fire up a virtual host and go config ssl.vhosts.conf?

Is it then still possible to run http://www.foobar.com and https://www.foobar.com/phpmyadmin (on the same machine)?

----------

## rac

 *Wackie wrote:*   

> So the best thing I can do, is fire up a virtual host and go config ssl.vhosts.conf?

 

Well, I didn't say best, just offered one possibility.

 *Quote:*   

> Is it then still possible to run http://www.foobar.com and https://www.foobar.com/phpmyadmin (on the same machine)?

 

I don't see why not.  They'd be listening on different ports.

----------

## Wackie

Okay thx for the quick reply, just couldn't find any detailed info on this, all a needed was a little hint which road to take

So I'll create my own certificates, and run my virtual hosts, and post my findings here, so other ppl can use it too.

----------

## Messiah

 *Wackie wrote:*   

> 
> 
> *cut stuff*
> 
> But I can also enter the dir unsecure via http, I tried to force the users only connecting to this dir using https, altering apache.conf, but it didn't seem to work.
> ...

 

Ahh...just use voodoo (aka mod_rewrite)  :Razz: 

```

RewriteEngine on

RewriteBase /phpMyAdmin/

RewriteCond %{SERVER_PORT} ^80$

RewriteRule ^(.*) https://yourhostname.tld/phpMyAdmin/ [R]

```

edit: I decided to explain the lines, because mod_rewrite is voodoo

line 1 enables mod_rewrite

line 2 says that /phpMyAdmin/ is being used as a base dir

line 3 says if someone connect thru port 80 (normal http)

line 4 says map everything to https://yourhostname.tld/phpMyAdmin/ and generate a redirect (R)

I just tested this within my phpMyAdmin directory in a .htaccess file and it did work. It should also work if you set this in the VirtualHost directive in apache.conf or vhosts/Vhosts.conf

Try it out! mod_rewrite rulezz

----------

## rac

Thanks for posting that alternative, Messiah.  That certainly looks like another way to achieve what Wackie's trying to do.  This entire post is really just an excuse to quote  *Brian Behlendorf of the Apache Group wrote:*   

> The great thing about mod_rewrite is it gives you all the configurability and flexibility of Sendmail. The downside to mod_rewrite is that it gives you all the configurability and flexibility of Sendmail.

 

To anyone planning on playing with mod_rewrite, I highly recommend http://httpd.apache.org/docs/misc/rewriteguide.html and http://httpd.apache.org/docs/mod/mod_rewrite.html.

----------

## Messiah

You're welcome  :Wink: 

mod_rewrite is indeed very powerful, but hey it is really hard

So I got another question for those gurus here. See this post

----------

## xming

you can configure ssl/non ssl per virtual host with the :port  option after your virtual host

xming

----------

## Wackie

 *Quote:*   

> 
> 
> ```
> 
> RewriteEngine on
> ...

 

Okay, I think its' really voodoo, because I added the following to /etc/apache/apache.conf/:

```

# Making sure that PHPmyadmin only runs on a secure connection (using mod_rewrite)

RewriteEngine On

RewriteBase /phpmyadmin/

RewriteCond %{SERVER_PORT} ^80$

RewriteRule ^(.*) https://hostname.nl/phpmyadmin/ [R]

```

but I can't restart it gracefully, since 'apachectl config' gives this error:

```

Syntax error on line 194 of /etc/apache/conf/apache.conf:

RewriteBase: only valid in per-directory config file

```

as you may have guessed, line 194 is the "rewritebase"-line.

btw, wouldn't it be more handy if the hostname is replaced with something like $HOSTNAME or apache's %SERVER_NAME???

----------

## Messiah

Comment out (out a # before the line) that begins with RewriteBase, because I did it from within a .htaccess, you do it from within the main config file.

As with the hostname, it probably should be better if you do use a variable, that's your choice. However, I do not know how you do that, never done it before  :Wink: 

----------

