httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pol Hallen" <apach...@fuckaround.org>
Subject [users@httpd] digest auth over ssl
Date Thu, 19 Jun 2014 19:52:07 GMT
Hi all :-)

I've configured apache2 to redirect a virtual host (munin) from http to
https, I've something like this:

cat /etc/apache2/site-enabled/default

[...]
# 20140619 - munin redirect http to https
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} ^/munin/.*
RewriteRule ^(.*)$ https://server1.example.com/$1 [R,L]
[...]

munin has its default config

cat /etc/apache2/site-enabled/munin

Alias /munin /var/cache/munin/www
<Directory /var/cache/munin/www>
        Order allow,deny
        Allow from all ::1
        Options None
        AuthUserFile /etc/munin/munin-pass
        AuthName "server1.example.com"
        AuthType Digest
        require valid-user
    <IfModule mod_expires.c>
        ExpiresActive On
        ExpiresDefault M310
    </IfModule>
</Directory>

So, when I try to connect (using chrome) to
http://server1.example.com/munin, browser immediately ask me username and
password (I'm connected using http). After inserted mine credentials
(browser warn me about not trusted certificate, it's ok: I don't have a
trusted certficate). When I force it to connect using https I need
re-insert username and password and only now I can see the munin page.

Now, when I insert user and password (the first time), does that
credentials can intercepts? or I'm inside SSL tunnel?

If not, how can I configure either http://server1.example.com/munin
(secure) redirect to https://server1.example.com/munin or starting only
using https://server1.example.com/munin?

thanks for help!

Pol



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message