httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject Re: [users@httpd] Question about Apache SSL and Rewrites
Date Sun, 16 Dec 2007 18:01:18 GMT
On Dec 16, 2007 12:17 PM, Bryan Richardson <btricha@gmail.com> wrote:
> Hello all,
>
> I've set up a Trac site on my server, and I'm trying to configure it such
> that when a user attempts to login, SSL is used.  I *think* I've configured
> my rewrites correctly (see below), but after the login occurs the site is
> still using SSL.  I only want to use SSL for the actual act of logging in,
> and nothing else.  Can anyone help me with this?  See my site configuration
> files below for what I have so far.  Thanks!

Basic auth doesn't work that way. The userid and password are
transmitted on EVERY request, not just the when you see the prompt in
the browser. (The browser memorizes the userid/password and resends it
as required.)

So if you want secure authentication with basic, everything needs to
be under SSL.

If you don't want that, your alternatives are digest auth (which is
somewhat more secure than basic) and cookie-based session management.
Cookies are the technique used by most major websites, but they aren't
provided in the standard apache install (because there is no single
standard way to implement cookie-based auth).

To answer your original question of why you aren't redirected back,
its because you didn't add a Rewrite in your SSL host to send you back
to your non-SSL host. But for the above reasons, you don't want to do
that.

>
> P.S. Can anyone tell me what SSLRequireSSL does and if it's actually
> necessary?

It denies any request that is not over an SSL connection. The way you
used it makes no sense because it only applies to requests served by
the SSL vhost, which are obviously under SSL. The typical way to use
it is to put it in the main server config (outside any vhost) to make
sure that requests for certain directories are only served by the SSL
vhost.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message