FCKEditor in HTTP Secured Websites
Usually, you do not want websites that are still under development to be visible to the Web at large. Even if you do not care about that, at the least - you do not want such websites to be indexed by search engine bots. Bottomline - you want the “dev” websites behind a lock. One way to secure, is to restrict IP addresses, but then - that is so ’90s! In the modern world we are way too mobile, for such approaches. They will just add annoyance and stand in the way of productivity. If you are using Drupal, one solution is to use the Securesite module. Or maybe not. In a busy development shop you usually deal with a dozen of under-the-development projects and triple that amount of projects that you maintain, hence still have dev environments for. Maintaining Securesite for each one of them is a maintenance nightmare. Please note, we are not even mentioning how buggy Securesite is and how it conflicts every time you try to do something advanced. Where I work, we chose a parsimonious approach.
We keep virtual-host folders of all our “dev” sites under /var/www/dev. In the same folder we have an “.htaccess” file that protects folders underneath with a universal user/password (clearly, in this case security is not a matter of life-and-death). Everything works like a charm - you want a site protected? Move it under /var/www/dev. You want it public? Move it to /var/www/vhosts. The problem, however, arises when trying to use FCKeditor with the protected sites. FCKeditor issues some “interesting” HTTP request as part of the file (image) upload workflow. When website is HTTP protected, you will get an error message like this: Bummer! The workaround is to allow the specific URI FCKEditor is requesting. Since we are mainly looking for a way to “scare” the search bots away and security is not a pressing issue, we can do it without a worry. The final .htaccess file will look something like the following:
AuthUserFile /opt/lampp/etc/.htpasswd-usersAuthGroupFile /dev/nullAuthName "Protected Area. Please, provide login credentials."AuthType Basic <Files "*"> require user devsec </Files> <FilesMatch "connector.*?$"> Allow from all </FilesMatch>