Redirects in the non-secure virtual host to the secure virtual host would
certainly do the trick. The module does have value (better name would be
Apache::AuthRedirect, IMO), but it would be built for people to be lazy
about their configurations.
Regards,
Christian
----------------------
Christian Gilmore
Team Lead
Web Infrastructure & Tools
IBM Software Group
> -----Original Message-----
> From: Stephen Adkins [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, September 18, 2001 3:09 PM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: RE: ANNOUNCE: Starting work on Apache::RedirectUnless
>
>
> Hi,
>
> I have been following this thread with interest because I have been
> struggling with the same problem. I define it this way.
>
> * To achieve secure authentication which is widely
> supported, you need
> to use Basic authentication over SSL
> * All URLs which can be accessed with HTTPS can be accessed with HTTP
> * I secure certain directories with .htaccess and all of the links
> in my site which point to them are via HTTPS, so as long as people
> always follow the links, they will never transfer the password
> in clear text (essentially) over the network using HTTP.
> * However, if they type the URL directly into the browser and they
> *forget* to use "https" but rather use "http", their password
> is exposed to network sniffers.
>
> I think that it was to solve this problem that J.J.Horner suggested
> the module. Any request to a secured area using HTTP would be
> automatically redirected to the same URL with HTTPS instead.
> Thus, the browser would never, ever be prompted to surrender the
> authentication credentials (password) in the clear over HTTP.
>
> Thus, I see great value to JJ's suggested module.
>
> Is there an easier way to safeguard against Apache prompting for
> a password over HTTP?
>
> Stephen
>
> At 01:41 PM 9/18/2001 -0500, Christian Gilmore wrote:
> >A realm is defined by the following three things:
> >
> >1) AuthName
> >2) ServerName (well, the server name in the URL actually)
> >3) Port (well, the port to which the browser is talking)
> >
> >If these three things are not always the same, the browser
> will prompt the
> >user to re-authenticate. So, you cannot authenticate a user
> on your https
> >port and magically expect that information to be passed by
> the browser to
> >your http port. You'd have to do application-layer session
> handling with
> >some kind of shared information across services. There are security
> >implications to consider here...
> >
> >Regards,
> >Christian
> >
> >> -----Original Message-----
> >> From: 'J. J. Horner' [mailto:[EMAIL PROTECTED]]
> >> Sent: Tuesday, September 18, 2001 12:01 PM
> >> To: [EMAIL PROTECTED]
> >> Cc: [EMAIL PROTECTED]
> >> Subject: Re: ANNOUNCE: Starting work on Apache::RedirectUnless
> >>
> >>
> >> The problem with that solution is that we have 2 virtual
> >> hosts, one http, one https, on one
> >> machine. https is the only available transport outside of
> >> our network, while the http
> >> server is available internally.
> >>
> >> This is a production webserver, with existing information,
> >> applications, etc. We don't
> >> want to redesign our existing setup just to move content to a
> >> secure virtualhost when
> >> someone wants to authenticate. This approach allows us to
> >> keep things from the developer
> >> side very transparent. Developers can continue to maintain
> >> and create as usual, with the
> >> added step of a login being transferred by https method.
> >>
> >> If I were designing a server from scratch, I would plan
> >> better, but since we are trying
> >> to implement encrypted basic authentication after the server,
> >> sites, applications are in place,
> >> we have to work around them.
> >>
> >> With the AuthName set to one value across the server, we may
> >> be able to prevent too many logins.
> >>
> >> We need to keep the same content on both virtualhosts as much
> >> as possible.
> >>
> >> Ideas? Comments?
> >>
> >> Thanks,
> >> JJ
> >>
> >>
> >> * Christian Gilmore ([EMAIL PROTECTED]) [010918 11:36]:
> >> > Putting it into the auth phase would be appropriate, but I
> >> have to wonder
> >> > why this module is needed other than to refrain from keeping your
> >> > configuration file clean. Your unsecure virtual host should
> >> have no auth
> >> > statements in it if you want all auth to be on your secure
> >> virtual host...
> >> >
> >> > You'll need to have your entire session where you want
> the user to
> >> > authenticate on the same virtual host, else the user will
> >> be prompted
> >> > multiple times or you will have a security gap if you're
> >> leaving it all up
> >> > to the service layer.
> >> >
> >> > Regards,
> >> > Christian
> >> >
> >> > > -----Original Message-----
> >> > > From: J. J. Horner [mailto:[EMAIL PROTECTED]]
> >> > > Sent: Tuesday, September 18, 2001 8:51 AM
> >> > > To: [EMAIL PROTECTED]
> >> > > Subject: ANNOUNCE: Starting work on Apache::RedirectUnless
> >> > >
> >> > >
> >> > > I have need of a module that will redirect to https anytime
> >> > > basic authentication is required.
> >> > >
> >> > > I figure the best way to do this is to step in at the
> >> authentication
> >> > > phase, and should authentication be required and the
> >> method be http,
> >> > > redirect to https for any and all basic authentication
> >> > > traffic. Perhaps
> >> > > after this, redirect to http, if desired.
> >> > >
> >> > > Any comments or suggestions?
> >> > >
> >> > > Thanks,
> >> > > JJ
> >> > >
> >> > > --
> >> > > J. J. Horner
> >> > > "H*","6d6174686c696e40326a6e6574776f726b732e636f6d"
> >> > > ***************************************************
> >> > > "H*","6a6a686f726e65724062656c6c736f7574682e6e6574"
> >> > >
> >> > > Freedom is an all-or-nothing proposition: either we
> >> > > are completely free, or we are subjects of a
> >> > > tyrannical system. If we lose one freedom in a
> >> > > thousand, we become completely subjugated.
> >> > >
> >>
> >> --
> >> J. J. Horner
> >> "H*","6d6174686c696e40326a6e6574776f726b732e636f6d"
> >> ***************************************************
> >> "H*","6a6a686f726e65724062656c6c736f7574682e6e6574"
> >>
> >> Freedom is an all-or-nothing proposition: either we
> >> are completely free, or we are subjects of a
> >> tyrannical system. If we lose one freedom in a
> >> thousand, we become completely subjugated.
> >>
> >
> >
> >
>
