httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ashley Gould <ago...@ucop.edu>
Subject Re: [users@httpd] SSL and AuthType Basic
Date Wed, 24 Aug 2005 01:15:29 GMT
On Tue, Aug 23, 2005 at 09:23:29AM -0400, Joshua Slive wrote:
> On 8/22/05, Ashley Gould <agould@ucop.edu> wrote:
> > I want to force use of https on directories where authentication is
> > required to avoid sending htpasswords in the clear.  Example:
> > 
> > <Directory /web/www-data/blah/blah>
> >     RewriteEngine        on
> >     RewriteCond          %{HTTPS} !=on
> >     RewriteRule     (.*) https://www.ucop.edu/blah/blah/$1 [R]
> > 
> >     AuthType Basic
> >     AuthName "Restricted Area"
> >     AuthUserFile /usr/local/etc/httpd/htpasswd
> >     AuthGroupFile /usr/local/etc/httpd/htgroup
> >     Require group admins
> > </Directory>
> > 
> > 
> > This seems to work fine.  As soon as I authenticate, I'm pushed into
> > https.  But is the authentication itself actually encrypted?  What is
> > apache's behavior in this case?
> 
> I'm not an expert, and you should confirm this yourself by looking at
> the actual data going over the wire, but I believe that apache httpd
> will do the auth first, then the redirect, then the auth should be
> requested again.  The first one goes in plain text and the second one
> is encrypted.
> 
> To prevent this, put the auth stuff inside the ssl <VirtualHost> section.
> 
> Joshua.


I confirmed with ethereal that you are correct.  My fix is to place the
RewriteRule under the main server config the the  AuthType stuff under
my ssl vhost.  This works correctly, but it will be hard to maintain.
There are over 80 such auth required directories.

<VirtualHost _default_:80>
[...]
<Directory /web/www-data/ucal/prop47>
    RewriteEngine        on
    RewriteCond          %{HTTPS} !=on
    RewriteRule     (.*) https://www.ucop.edu/ucal/prop47/$1 [R]
</Directory>
</VirtualHost>

<IfDefine SSL>
<VirtualHost _default_:443>
[...]
<Directory /web/www-data/ucal/prop47>
    SSLRequireSSL
    AuthType Basic
    AuthName "Restricted Area"
    AuthUserFile /usr/local/etc/httpd/htpasswd
    Require user piglet
</Directory>
</VirtualHost>
</IfDefine>



> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 

-- 

-ashley

Did you try poking at it with a stick?


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message