Re: [users@httpd] SSL and AuthType Basic

Tue, 23 Aug 2005 18:15:33 -0700 

On Tue, Aug 23, 2005 at 09:23:29AM -0400, Joshua Slive wrote:
> On 8/22/05, Ashley Gould <[EMAIL PROTECTED]> wrote:
> > I want to force use of https on directories where authentication is
> > required to avoid sending htpasswords in the clear.  Example:
> > 
> > <Directory /web/www-data/blah/blah>
> >     RewriteEngine        on
> >     RewriteCond          %{HTTPS} !=on
> >     RewriteRule     (.*) https://www.ucop.edu/blah/blah/$1 [R]
> > 
> >     AuthType Basic
> >     AuthName "Restricted Area"
> >     AuthUserFile /usr/local/etc/httpd/htpasswd
> >     AuthGroupFile /usr/local/etc/httpd/htgroup
> >     Require group admins
> > </Directory>
> > 
> > 
> > This seems to work fine.  As soon as I authenticate, I'm pushed into
> > https.  But is the authentication itself actually encrypted?  What is
> > apache's behavior in this case?
> 
> I'm not an expert, and you should confirm this yourself by looking at
> the actual data going over the wire, but I believe that apache httpd
> will do the auth first, then the redirect, then the auth should be
> requested again.  The first one goes in plain text and the second one
> is encrypted.
> 
> To prevent this, put the auth stuff inside the ssl <VirtualHost> section.
> 
> Joshua.


I confirmed with ethereal that you are correct.  My fix is to place the
RewriteRule under the main server config the the  AuthType stuff under
my ssl vhost.  This works correctly, but it will be hard to maintain.
There are over 80 such auth required directories.

<VirtualHost _default_:80>
[...]
<Directory /web/www-data/ucal/prop47>
    RewriteEngine        on
    RewriteCond          %{HTTPS} !=on
    RewriteRule     (.*) https://www.ucop.edu/ucal/prop47/$1 [R]
</Directory>
</VirtualHost>

<IfDefine SSL>
<VirtualHost _default_:443>
[...]
<Directory /web/www-data/ucal/prop47>
    SSLRequireSSL
    AuthType Basic
    AuthName "Restricted Area"
    AuthUserFile /usr/local/etc/httpd/htpasswd
    Require user piglet
</Directory>
</VirtualHost>
</IfDefine>



> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: [EMAIL PROTECTED]
>    "   from the digest: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 

-- 

-ashley

Did you try poking at it with a stick?


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to