You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Gulkamal Singh <lu...@gmail.com> on 2014/06/30 14:23:37 UTC
[users@httpd] Discussion about possible new feature for Apache HTTP Server
Lets say that I have a domain hosting a public facing website (
www.mywebsite.com). Now lets say that -
1) Security is not a big thing.
2) To save money, I want to host the admin interface on the same domain (
www.mywebsite.com/admin).
3) The admin interface requires login but never the less I do not want the
public to be even aware of the location of the admin interface.
4) But there is a chance that someone might type in www.mywebsite.com/admin
by guessing and discover that there is an admin user interface there.
5) I dont want to use complicated IP blocking to block access to the admin
interface - I want to be able to login from any machine. I also dont want
to go down the expensive certificate route.
In this case, the following will be useful -
1) A browser that has a simple interface from where I can map a key to a
url. When I make a request to my admin URL, it sends this key in the
header, get or post.
2) A server which shows a 404 unless the key is present in the header, get
or post.
This is fairly a simple feature and I feel that if browsers and servers
implement this, it could become popular. Could people please give me
thoughts on this, if there might be benefits to this, and if it would be
possible for apache http server to implement this?
Re: [users@httpd] Discussion about possible new feature for Apache
HTTP Server
Posted by "D'Arcy J.M. Cain" <da...@Vex.Net>.
On Mon, 30 Jun 2014 13:23:37 +0100
Gulkamal Singh <lu...@gmail.com> wrote:
> 1) A browser that has a simple interface from where I can map a key
> to a url. When I make a request to my admin URL, it sends this key
> in the header, get or post.
> 2) A server which shows a 404 unless the key is present in the
> header, get or post.
>
> This is fairly a simple feature and I feel that if browsers and
> servers implement this, it could become popular. Could people please
> give me thoughts on this, if there might be benefits to this, and if
> it would be possible for apache http server to implement this?
I think you are being way too complicated. Just put your admin page at
something like www.mysite.com/h7Swu72fFqdk and add that to your
bookmarks. No one is going to accidentally type that in. In fact, I
often use that in lieu of actual password protection when convenience
is more important than high security.
--
D'Arcy J.M. Cain
System Administrator, Vex.Net
http://www.Vex.Net/ IM:darcy@Vex.Net
VoIP: sip:darcy@Vex.Net
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Discussion about possible new feature for Apache
HTTP Server
Posted by Edgar Pettijohn <ed...@pettijohn.no-ip.biz>.
On 06/30/2014 07:30 AM, Jeroen Van den Horn wrote:
> I'm sure that when you fiddle a bit with some RewriteCond's and
> RewriteRules you can accomplish what you want out-of-the-box.
>
> J
>
>
> On Mon, Jun 30, 2014 at 2:23 PM, Gulkamal Singh
> <lund.singh.1982@gmail.com <ma...@gmail.com>> wrote:
>
> Lets say that I have a domain hosting a public facing website
> (www.mywebsite.com <http://www.mywebsite.com>). Now lets say that -
>
> 1) Security is not a big thing.
> 2) To save money, I want to host the admin interface on the same
> domain (www.mywebsite.com/admin <http://www.mywebsite.com/admin>).
> 3) The admin interface requires login but never the less I do not
> want the public to be even aware of the location of the admin
> interface.
> 4) But there is a chance that someone might type in
> www.mywebsite.com/admin <http://www.mywebsite.com/admin> by
> guessing and discover that there is an admin user interface there.
> 5) I dont want to use complicated IP blocking to block access to
> the admin interface - I want to be able to login from any machine.
> I also dont want to go down the expensive certificate route.
>
> In this case, the following will be useful -
>
> 1) A browser that has a simple interface from where I can map a
> key to a url. When I make a request to my admin URL, it sends
> this key in the header, get or post.
> 2) A server which shows a 404 unless the key is present in the
> header, get or post.
>
> This is fairly a simple feature and I feel that if browsers and
> servers implement this, it could become popular. Could people
> please give me thoughts on this, if there might be benefits to
> this, and if it would be possible for apache http server to
> implement this?
>
>
why not just use a self signed key and implement ssl for your /admin only?
Re: [users@httpd] Discussion about possible new feature for Apache
HTTP Server
Posted by Jeroen Van den Horn <je...@cloudwork.nl>.
I'm sure that when you fiddle a bit with some RewriteCond's and
RewriteRules you can accomplish what you want out-of-the-box.
J
On Mon, Jun 30, 2014 at 2:23 PM, Gulkamal Singh <lu...@gmail.com>
wrote:
> Lets say that I have a domain hosting a public facing website (
> www.mywebsite.com). Now lets say that -
>
> 1) Security is not a big thing.
> 2) To save money, I want to host the admin interface on the same domain (
> www.mywebsite.com/admin).
> 3) The admin interface requires login but never the less I do not want the
> public to be even aware of the location of the admin interface.
> 4) But there is a chance that someone might type in
> www.mywebsite.com/admin by guessing and discover that there is an admin
> user interface there.
> 5) I dont want to use complicated IP blocking to block access to the admin
> interface - I want to be able to login from any machine. I also dont want
> to go down the expensive certificate route.
>
> In this case, the following will be useful -
>
> 1) A browser that has a simple interface from where I can map a key to a
> url. When I make a request to my admin URL, it sends this key in the
> header, get or post.
> 2) A server which shows a 404 unless the key is present in the header, get
> or post.
>
> This is fairly a simple feature and I feel that if browsers and servers
> implement this, it could become popular. Could people please give me
> thoughts on this, if there might be benefits to this, and if it would be
> possible for apache http server to implement this?
>