httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Galić <i.ga...@brainsware.org>
Subject Re: [users@httpd] Noobie Htaccess/ SSL authentication
Date Thu, 09 Dec 2010 18:56:40 GMT

----- "Anthony Kowalick" <btv1==958707bf13f==tkowalic@skidmore.edu> wrote:

> Excuse me for my ignorance on Apache up front and sorry if this email
> is duplicated....
> 
> Here Is my situation (hopefully Im explaining it correctly).
> 
> We have an apache 2 server, using AuthLDAP for htaccess user/pass.

Lets hear what #httpd Channel bot fajita has to say about that:

<fajita> Don't confuse htaccess with password-protection. The
  purpose of htaccess is to enable users to configure apache
  locally for their own directories, when they have no privilege
  to do so in httpd.conf. Using htaccess slows the server. Also
  rewriterules and redirects are more complex in htaccess

> I am trying to set it up so that if a user goes to a page which
> requires
> authentication that that htaccess login is forced to to HTTPS/SSL so
> it=B9s
> not clear text.
> 
> For example.(folder names are not specific, examples only)
> 
> http://Www.mydomain.com/secure
> 
> This page requires LDAP auth but since the user didn=B9t type HTTPS
> its clear
> text.
> 
> How can I force Apache to say OK, this isnt HTTPS, redirect to HTTPS
> and
> then pop the login box and its not clear text?
> 
> I have tried all of these below
> 
> * RewriteCond %{SERVER_PORT} !^443$ RewriteRule .*
> https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
> This pops the login box but only after it shows the content of the
> page
> first. =B3hello world=B2
> 
> * SSLOptions +StrictRequire
> SSLRequireSSL
> SSLRequire %{HTTP_HOST} eq "mydomain.com"
> This fails to load any page if the user doesn=B9t explicitly type
> HTTPS in
> browser.
> 
> So what I=B9m looking to do is say:
> 
> User types in http://www.mydomain.com/secure
> 
> Apache says OK, that folder requires AUTH, lets first go to HTTPS,
> require
> LDAP login then show the page.

Maybe I can break this down to something resonable:

<VirtualHost *:80>
   ServerName www.mydomain.com
   DocumentRoot /srv/web/www.mydomain.com/htdocs
   Redirect permanent /secure https://www.mydomain.com/secure
</VirtualHost>

<VirtualHost *:443>
   ServerName www.mydomain.com
   DocumentRoot /srv/web/www.mydomain.com/htdocs

   SSLEngine On
   OtherSSLOptions
   
   <Location /secure>
      AuthStuffHere
   </Location>
</VirtualHost>


> Hope this makes sense.

So do I.

> Regards,
> Tony

i

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message