You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Ashley Gould <ag...@ucop.edu> on 2005/08/22 22:58:17 UTC

[users@httpd] SSL and AuthType Basic

I want to force use of https on directories where authentication is 
required to avoid sending htpasswords in the clear.  Example:

<Directory /web/www-data/blah/blah>
    RewriteEngine        on
    RewriteCond          %{HTTPS} !=on
    RewriteRule     (.*) https://www.ucop.edu/blah/blah/$1 [R]

    AuthType Basic
    AuthName "Restricted Area"
    AuthUserFile /usr/local/etc/httpd/htpasswd
    AuthGroupFile /usr/local/etc/httpd/htgroup
    Require group admins
</Directory>


This seems to work fine.  As soon as I authenticate, I'm pushed into
https.  But is the authentication itself actually encrypted?  What is
apache's behavior in this case?


p.s. mod_rewrite experts feel free to make suggestions about my rules.




-- 

-ashley

Did you try poking at it with a stick?


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] SSL and AuthType Basic

Posted by Ashley Gould <ag...@ucop.edu>.

On Tue, Aug 23, 2005 at 09:23:29AM -0400, Joshua Slive wrote:
> On 8/22/05, Ashley Gould <ag...@ucop.edu> wrote:
> > I want to force use of https on directories where authentication is
> > required to avoid sending htpasswords in the clear.  Example:
> > 
> > <Directory /web/www-data/blah/blah>
> >     RewriteEngine        on
> >     RewriteCond          %{HTTPS} !=on
> >     RewriteRule     (.*) https://www.ucop.edu/blah/blah/$1 [R]
> > 
> >     AuthType Basic
> >     AuthName "Restricted Area"
> >     AuthUserFile /usr/local/etc/httpd/htpasswd
> >     AuthGroupFile /usr/local/etc/httpd/htgroup
> >     Require group admins
> > </Directory>
> > 
> > 
> > This seems to work fine.  As soon as I authenticate, I'm pushed into
> > https.  But is the authentication itself actually encrypted?  What is
> > apache's behavior in this case?
> 
> I'm not an expert, and you should confirm this yourself by looking at
> the actual data going over the wire, but I believe that apache httpd
> will do the auth first, then the redirect, then the auth should be
> requested again.  The first one goes in plain text and the second one
> is encrypted.
> 
> To prevent this, put the auth stuff inside the ssl <VirtualHost> section.
> 
> Joshua.


I confirmed with ethereal that you are correct.  My fix is to place the
RewriteRule under the main server config the the  AuthType stuff under
my ssl vhost.  This works correctly, but it will be hard to maintain.
There are over 80 such auth required directories.

<VirtualHost _default_:80>
[...]
<Directory /web/www-data/ucal/prop47>
    RewriteEngine        on
    RewriteCond          %{HTTPS} !=on
    RewriteRule     (.*) https://www.ucop.edu/ucal/prop47/$1 [R]
</Directory>
</VirtualHost>

<IfDefine SSL>
<VirtualHost _default_:443>
[...]
<Directory /web/www-data/ucal/prop47>
    SSLRequireSSL
    AuthType Basic
    AuthName "Restricted Area"
    AuthUserFile /usr/local/etc/httpd/htpasswd
    Require user piglet
</Directory>
</VirtualHost>
</IfDefine>



> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 

-- 

-ashley

Did you try poking at it with a stick?


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] SSL and AuthType Basic

Posted by Joshua Slive <js...@gmail.com>.

On 8/22/05, Ashley Gould <ag...@ucop.edu> wrote:
> I want to force use of https on directories where authentication is
> required to avoid sending htpasswords in the clear.  Example:
> 
> <Directory /web/www-data/blah/blah>
>     RewriteEngine        on
>     RewriteCond          %{HTTPS} !=on
>     RewriteRule     (.*) https://www.ucop.edu/blah/blah/$1 [R]
> 
>     AuthType Basic
>     AuthName "Restricted Area"
>     AuthUserFile /usr/local/etc/httpd/htpasswd
>     AuthGroupFile /usr/local/etc/httpd/htgroup
>     Require group admins
> </Directory>
> 
> 
> This seems to work fine.  As soon as I authenticate, I'm pushed into
> https.  But is the authentication itself actually encrypted?  What is
> apache's behavior in this case?

I'm not an expert, and you should confirm this yourself by looking at
the actual data going over the wire, but I believe that apache httpd
will do the auth first, then the redirect, then the auth should be
requested again.  The first one goes in plain text and the second one
is encrypted.

To prevent this, put the auth stuff inside the ssl <VirtualHost> section.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org