httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Merino <daniel.mer...@unavarra.es>
Subject [users@httpd] Secure htaccess in a non-SSL Apache (and without Digest...)
Date Fri, 29 Jun 2012 08:06:04 GMT
Hi everybody.

We have a really complex issue and we aren't able to imagine how could 
it be solved. We hope that maybe some Apache expert will give us some 
ideas. Please, if this is not the correct list, tell me where should I 
send this email.

We have a Drupal 6 installation which serves video (Flash & HTML5) 
working over Apache 2.2.15 in CentOS 6. We want all passwords to be sent 
encrypted in this platform.

Configuring a full SSL Apache is not a good solution, because there are 
huge videos uploaded and encrypting them would have a great impact in 
the performance.

Protecting Drupal's login is quite simple. There is a module that 
protects only the login module, so this solution is perfect for us.

However, with some specially sensible videos we also have an extra 
protection. We set an htaccess with mod_authn_dbd linked with Drupal 
database, so direct access to these resources URLs is protected with the 
same user & password used in Drupal.

Is this validation which we are stuck with. If we set AuthType Basic, 
passwords are sent in plain text. If we set Digest, it doesn't work 
because Digest needs a fixed format (User:Realm:Password in MD5) and 
Drupal passwords are different (just password in MD5).

Apache httpd.conf allows to serve some resources through port 80 and 
another ones through 443, but the resource to protect must be served 
through port 80, so htaccess is also sent through it.

We are really blocked here. Please, could somebody give us any advice?

Many thanks in advance.
-- 
Daniel Merino Echeverría
daniel.merino@unavarra.es
Gestor de teleformación - Centro Superior de Innovación Educativa.
Tfno: 948-168489 - Universidad Pública de Navarra.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message