httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James Devenish" <j-deven...@users.sourceforge.net>
Subject [users@httpd] Conditionally redirect to HTTPS URL if authorization required?
Date Fri, 28 Sep 2007 12:39:39 GMT
Hi,

I am wondering if there is a satisfactory solution to the following challenge.

I have an existing internal services website, running a diverse and
historical range of applications within the organisation and its
umbrella organisation. Various portions of the site (including the
home page, but not including many subareas) are protected with BASIC
authentication accessed historically within our local networks only.

However, the client base extends beyong our internal network. To
facilitate and protect remote access, we wish to use X509 certified &
encrypted sessions. We have an SSL certificate and mod_ssl is running
under Apache 2.0.x. A VPN is not the solution that fits our
circumstances or use cases.

We hope to avoid a complete redesign/rebadge/redevelopment of the
site. However, our difficulty is that we want clients to use SSL when,
and only when, a password-protected area is accessed from outside our
LAN. In other works, we 'simply' want to ensure that any time a
BASIC-protected username/password resource is requested, the user MUST
either be using SSL or be on our internal networks.

In other words, "IF (client used the http virtual host) AND
(authentication is required) AND (the client address is not part of a
designated network) THEN (redirect the client to the https virtual
host) ELSE (continue with request) ENDIF." There is no other
circumstance in which SSL is required (in fact, it is deliterious in
many of our circumstances).

Naturally, I would like to configure this requirement as a
virtual-host rule without having to remember to implant it into every
.htaccess in the site.  It's okay if we have to do some coding (e.g.,
write a small module), but I wouldn't know where to start.

Do you know of any inventive (or pre-existing!!!) solution that would
work with an existing site?

Regards,
James.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message