The problem with that solution is that we have 2 virtual hosts, one http, one https,
on one
machine. https is the only available transport outside of our network, while the http
server is available internally.
This is a production webserver, with existing information, applications, etc. We don't
want to redesign our existing setup just to move content to a secure virtualhost when
someone wants to authenticate. This approach allows us to keep things from the
developer
side very transparent. Developers can continue to maintain and create as usual, with
the
added step of a login being transferred by https method.
If I were designing a server from scratch, I would plan better, but since we are trying
to implement encrypted basic authentication after the server, sites, applications are
in place,
we have to work around them.
With the AuthName set to one value across the server, we may be able to prevent too
many logins.
We need to keep the same content on both virtualhosts as much as possible.
Ideas? Comments?
Thanks,
JJ
* Christian Gilmore ([EMAIL PROTECTED]) [010918 11:36]:
> Putting it into the auth phase would be appropriate, but I have to wonder
> why this module is needed other than to refrain from keeping your
> configuration file clean. Your unsecure virtual host should have no auth
> statements in it if you want all auth to be on your secure virtual host...
>
> You'll need to have your entire session where you want the user to
> authenticate on the same virtual host, else the user will be prompted
> multiple times or you will have a security gap if you're leaving it all up
> to the service layer.
>
> Regards,
> Christian
>
> > -----Original Message-----
> > From: J. J. Horner [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, September 18, 2001 8:51 AM
> > To: [EMAIL PROTECTED]
> > Subject: ANNOUNCE: Starting work on Apache::RedirectUnless
> >
> >
> > I have need of a module that will redirect to https anytime
> > basic authentication is required.
> >
> > I figure the best way to do this is to step in at the authentication
> > phase, and should authentication be required and the method be http,
> > redirect to https for any and all basic authentication
> > traffic. Perhaps
> > after this, redirect to http, if desired.
> >
> > Any comments or suggestions?
> >
> > Thanks,
> > JJ
> >
> > --
> > J. J. Horner
> > "H*","6d6174686c696e40326a6e6574776f726b732e636f6d"
> > ***************************************************
> > "H*","6a6a686f726e65724062656c6c736f7574682e6e6574"
> >
> > Freedom is an all-or-nothing proposition: either we
> > are completely free, or we are subjects of a
> > tyrannical system. If we lose one freedom in a
> > thousand, we become completely subjugated.
> >
--
J. J. Horner
"H*","6d6174686c696e40326a6e6574776f726b732e636f6d"
***************************************************
"H*","6a6a686f726e65724062656c6c736f7574682e6e6574"
Freedom is an all-or-nothing proposition: either we
are completely free, or we are subjects of a
tyrannical system. If we lose one freedom in a
thousand, we become completely subjugated.
PGP signature
