Protect Plesk panel with htpasswd and htaccess

[AlessioF]

Hello,
I'm trying to protect the access to the Plesk Panel with an htpasswd file, but I can't seem to make it work.
I've created a .htaccess file in /opt/psa/admin/htdocs directory (which is for me the panel directory) but anything I put in that htaccess file it's ignored. What am I doing wrong? Is there a way to do this from inside the Plesk panel or is my method the right one?
Thank you

 

[AlessioF]

really, no one ever tried to do that?

 

[FrankSM]

I am trying to do the same.

 

[FrankSM]

Found a Solution...

Plesk 9+ is based on Lighttpd, so you have to add the following in

# Limit access to Admin
auth.backend = "htpasswd"
auth.backend.htpasswd.userfile = "/opt/psa/admin/htdocs/.htpasswd"
auth.require = ( "/" =>
(
"method" => "basic",
"realm" => "Rocket-Guyana",
"require" => "valid-user"
),
)

/etc/sw-cp-server/applications.d/plesk.socket.sh -> eg. after the fastcgi section

then add "mod_auth" to the first line in plesk.conf and restart the server /etc/init.d/sw-cp-server restart

Hope it helps. I post the solution for other ppl so they can apply the same.

--
Frank

 

[SibProgrammer]

What's the reason of doing this?

Plesk already has its own auth form. If you're a hoster you will start forcing customers to enter passwords twice. Or you don't give an access to the control panel to your customers?

If you want to prohibit the access to the panel for everybody excepting you, you can use Firewall module (or iptables directly). If you want to restrict an admin access, you can take a look at Tools & Settings -> IP access restriction management.

 

[FrankSM]

thinkt about it and you might find it an easy way to stuff a potential security risk (plesk control panel). This way it is relatively save from any sort of panel script attack. iptables is ip/protocol based, this user/pass is more suitable for a lot of people and a no go for automated script hacks etc.

 

[SibProgrammer]

I'm trying to understand how do you use the panel? Do you have clients or use it for personal purpose. If you have clients, do they enter passwords twice (first time due to htpasswd, second in Plesk auth form)? Looks like adding of htpasswd can be useful only if you use the panel only for personal purposes.

 

[Azurel]

Big Thanks! Its working fine in 11.0.9, but after update to 11.5.30 this path not exist:

/etc/sw-cp-server/applications.d/plesk.socket.sh

Is here a way to add htaccess for 11.5.30?

EDIT:

Panel now uses nginx as the internal web server (used to host the Panel GUI) instead of lighttpd.