httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bryan Richardson" <>
Subject Re: [users@httpd] Question about Apache SSL and Rewrites
Date Mon, 17 Dec 2007 03:06:09 GMT

Thanks again for responding.  I've decided to use AuthDigest because of the
reasons you mentioned below.  However, while messing around some with
.htaccess files, I've come across the following situation that I can't seem
to figure out how to fix.

So I have the trac/ directory, which is the parent directory of all the Trac
projects I have on my machine.  I want users to have to login as soon as
they attempt to go to particular project (as opposed to logging in once they
click the login link).  I also want to force the use of SSL when at a
project's Trac site.  So, in the .htaccess file in my trac/ directory, I
have the following:

RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule [^/](.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]

This forces the use of SSL when a user clicks on a link for any Trac project
site.  Then, in one of my Trac project's parent directory (foo/ for
example), I have the following in the .htaccess file:

AuthType Digest
AuthName "Foo Project"
AuthDigestDomain /foo/ http://localhost/trac/foo/
AuthUserFile /home/bar/.passwd
Require valid-user

This of course requires a login.  Now, the situation I'm coming across is
I'm getting two requests for login; one at http://localhost and the other at
https://localhost.  So, it looks to me like the authorization request is
occurring before the rewrite, then once the redirect happens it's requiring
another login because of the change in address (correct?).  Is there any way
(short of using the config files rather than .htaccess files) to force the
Rewrite to happen first?  Also, would use Redirects rather than Rewrites fix
the problem?  I've already tried to use a Redirect (RedirectMatch,
actually), but I couldn't get it to work.  If Redirects would fix the
problem then any suggestions on how to use a Redirect in the .htaccess file
for this situation would be much appreciated!!!

Thanks! -- BTR

On Dec 16, 2007 1:29 PM, Joshua Slive <> wrote:

> On Dec 16, 2007 1:06 PM, Bryan Richardson <> wrote:
> > Joshua,
> >
> > Thanks for responding.  I had planned on looking into AuthDigest anyway,
> so
> > I'll go ahead and do that.  If I end up using AuthDigest, would it then
> make
> > sense to only use SSL when actually logging in?
> >
> No, digest auth works the same way as basic except that it is much
> more difficult to sniff the password on the wire. So you can often get
> away without using SSL at all if you use digest.
> > Also, just for sake of knowledge, how should I go about adding a Rewrite
> to
> > my SSL host to redirect me to the non-SSL host once I've logged in?
> It's essentially the exact opposite of the rewrite for the non-SSL
> host (except you don't need the RewriteCond in either case, since the
> port is already fixed in the vhost).
> RewriteRule !trac/[^/]+/login$ http://%{SERVER_NAME}%{REQUEST_URI} [L,R]
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:> for more info.
> To unsubscribe, e-mail:
>   "   from the digest:
> For additional commands, e-mail:

View raw message