Well - it's cut down the number of entries to my error log significantly - it was getting hammered multiple times a second.

 

It's still getting hit, though - once every few minutes now, though.

 

Should I adjust the keepalive timeout do you think?

 

mark

Hi again Michael,

 

So I've done some reading about this and now understand a bit more about what you were explaining earlier.  I felt reasonably safe with htaccess protecting my site but now see that the user/password is actually sent in the open with each request to the website and so a man-in-the-middle could easily grab my login credentials.  Plus I don't have my apache set up to prevent brute force attempts and - as my access.log will attest - there have been some remote attempts to access my server.

 

So - I'm going to get to certificate installation this week. 

 

Do you have a recommendation for some sort of login or user authentication to go with https, though?  a PHP session perhaps?  or do you feel that htacess will be adequate once the site is https?

 

Thanks,

 

mark

Once you have a trusted cert and can access the site over https, then put a redirect on port 80 (to prevent http access).

 

In a fully SSL encrypted session, .htaccess 'basic' authentication is just fine - although not pretty. I also use fail2ban on my host to firewall off IPs that make more than a couple of bad requests for an added tier of security, but with a strong password it may not be necessary.

 

Michael.