Browser authentication for admin panel

#1
Is it possible to add browser authentication for the admin panel? If so, how would I set this up?

Also if you have https required and you try to access via the http version you'll get the "HTTPS is required" page. Is there a way to alter this page? Or ideally I'd prefer the non https page to not even work at all as if nothing is there.
 

lsmichael

Active Member
#2
There's no configuration for browser authentication, so we're not sure how you'd do that. You'd have to dork around with the WebAdmin's PHP code.

The same is true for the HTTPS is required page, but it's really easy to change. It's hard-coded in src/http/ntwkiolink.cpp on lines 1228-1241.

m
 
#3
There's no configuration for browser authentication, so we're not sure how you'd do that. You'd have to dork around with the WebAdmin's PHP code.
There doesn't appear to be a limit to the number of invalid logins so I figured adding an extra layer would be better for security.
The same is true for the HTTPS is required page, but it's really easy to change. It's hard-coded in src/http/ntwkiolink.cpp on lines 1228-1241.
Hmm, this means I need to make the change every time I upgrade right?
 

lsmichael

Active Member
#4
There doesn't appear to be a limit to the number of invalid logins so I figured adding an extra layer would be better for security.
Wait, what do you mean by browser authentication? I thought you meant a way to have your username and password sent automatically when you navigated to the page.

Hmm, this means I need to make the change every time I upgrade right?
Yup. Unless you can convince us that we should change it.:barefoot:
 
#5
Wait, what do you mean by browser authentication? I thought you meant a way to have your username and password sent automatically when you navigated to the page.
By browser authentication I meant the annoying prompts that pop up on browsers when you try to navigate to an area that is password protected. Maybe that is not called browser authentication then. :whistle: You can already set them up in litespeed for certain URIs by creating a context and selecting an "authorization realm".
Yup. Unless you can convince us that we should change it.:barefoot:
Hmm, well if the purpose of this page is just to tell people to use https, why not just 301 redirect straight to the https version assuming they are using the option of https only. I originally suggested to remove the http page in case someone was attempting to do something malicious and finding the http page would give them the clue, but I guess they would be smart enough to figure that out on their own. :p
 
Last edited:

lsmichael

Active Member
#6
By browser authentication I meant the annoying prompts that pop up on browsers when you try to navigate to an area that is password protected. Maybe that is not called browser authentication then. :whistle: You can already set them up in litespeed for certain URIs by creating a context and selecting an "authorization realm".
Oh! Yeah, what is that called? Ummm... Oh well. No, that's not set up for the WebAdmin either, but you're welcome to modify the WebAdmin code. (The WebAdmin code has always been open source.)

Hmm, well if the purpose of this page is just to tell people to use https, why not just 301 redirect straight to the https version assuming they are using the option of https only.
I... don't... know...:cry:

I'll ask on Monday. (y)
 
Top