| SYSTEM INFORMATION | |
|---|---|
| OS type and version | Debian 10&11 |
| Webmin version | 1.999-2.0 |
| Virtualmin version | 7.1 |
| Related packages | apache2 |
Hello, some thoughts on Virtualmin password restrictions for web directories, in order to improve the feature:
- have any user, and not always append @domain.tld they do not need to be “real” users, in Virtualmin’s tradition;
- so have the password field right there in the interface, not to go back to user management; maybe check for the directory, if doesn’t exit, create it;
- have also a field to exclude IPs or whole networks, see bellow;
- deal with TLS as Let’s Encrypt has no longer access there, a big problem - well known should be excluded;
- write the options in the Apache config file, not .htaccess, as for example one can get “Failed to protect new directory : The protection file /home/domain.tld/public_html/.htaccess is a symbolic link”; for example I use (not easily editable by users though, good idea here also to write passwords in a different file outside web root):
<Location / >
AuthName "Restricted"
AuthType Basic
AuthUserFile /home/domain.tld/.htpasswd
SetEnvIf Request_URI /.well-known noauth=1
<RequireAny>
Require env noauth
Require env REDIRECT_noauth
Require ip 1.2.3.4/27
Require valid-user
</RequireAny>
</Location>
Posted also here Add better UX · virtualmin/virtualmin-htpasswd@f5eccbb · GitHub , but of course sounds more like suggestions for a rewrite not actual bugs 
