Jump to content

Force https non-www with a basic auth protection for unwanted visitors and bots


cwsoft
 Share

Recommended Posts

Hi,

if you want to hide/protect your entire ProcessWire page from unwanted visitors (and bots), you could add the following lines to the end of your .htaccess file in your PW web root to force basic auth protection. In addition I commented out some lines in the default .htaccess file to force HTTPS and non-www like https://domain.com.

  # 9A. To redirect HTTP requests to HTTPS, uncomment the lines below (also see note above):
  # -----------------------------------------------------------------------------------------------
  # Comment out the two lines below to force HTTPS requests.
  RewriteCond %{HTTPS} !=on
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

  # 13C. Redirect www.domain.com to domain.com (do not combine with 13A or 13B):
  # -----------------------------------------------------------------------------------------------
  # Comment out the two line below to rewrite URL to non-www.
  RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
  RewriteRule ^ %{ENV:PROTO}://%1%{REQUEST_URI} [R=301,L]

#################################################################################################
# END PROCESSWIRE HTACCESS DIRECTIVES
#################################################################################################

#################################################################################################
# Basic auth protection to hide site from unwanted guests, search engines and bots.
# To not ask credentials twice, we allow non HTTPS and WWW first. After ProcessWire redirected
# request to non-www HTTPS, we prompt for credential for the basic auth once.
#################################################################################################
# Detect LOCALHOST env or WWW subdomain.
SetEnvIf HOST ^localhost LOCALHOST
SetEnvIf HOST ^www\. WWW

# Basic authentification
AuthType Basic 
AuthName "Restricted area" 
AuthUserFile /kunden/path_to_your_webroot/.htusers

# Deny access to all, except for LOCALHOST, WWW, HTTP or valid-user.
Order Deny,Allow
Deny from all
Satisfy any
Allow from env=LOCALHOST
Allow from env=WWW
Allow from env=!HTTPS
require valid-user

You can create the password hash for the .htusers file (username:hashed_password) with the PHP commands below. Don't forget to adapt the path in AuthUserFile to match your .htusers file in your .htaccess file too.

<?php
// Create a password hash for Basic Auth.
$user = "your-username";
$plain = 'your-password';
$hash = password_hash($plain, PASSWORD_BCRYPT);

// Output required .htusers data on screen.
echo '<h2>Data for .htusers file in PW webroot</h2>';
echo '<p><strong>PATH</strong>: ' . __DIR__ . DIRECTORY_SEPARATOR . '.htusers</p>';
echo '<p><strong>username:hash</strong>: ' . "$user:$hash";

Have fun.
cwsoft

  • Like 4
  • Thanks 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...