You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Anthony Kowalick <bt...@skidmore.edu> on 2010/12/09 18:59:04 UTC
[users@httpd] Noobie Htaccess/ SSL authentication
Excuse me for my ignorance on Apache up front and sorry if this email is
duplicated....
Here Is my situation (hopefully Im explaining it correctly).
We have an apache 2 server, using AuthLDAP for htaccess user/pass.
I am trying to set it up so that if a user goes to a page which requires
authentication that that htaccess login is forced to to HTTPS/SSL so it=B9s
not clear text.
For example.(folder names are not specific, examples only)
http://Www.mydomain.com/secure
This page requires LDAP auth but since the user didn=B9t type HTTPS its
clear
text.
How can I force Apache to say OK, this isnt HTTPS, redirect to HTTPS and
then pop the login box and its not clear text?
I have tried all of these below
* RewriteCond %{SERVER_PORT} !^443$ RewriteRule .*
https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
This pops the login box but only after it shows the content of the page
first. =B3hello world=B2
* SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "mydomain.com"
This fails to load any page if the user doesn=B9t explicitly type HTTPS in
browser.
So what I=B9m looking to do is say:
User types in http://www.mydomain.com/secure
Apache says OK, that folder requires AUTH, lets first go to HTTPS, require
LDAP login then show the page.
Hope this makes sense.
Regards,
Tony
Re: [users@httpd] Noobie Htaccess/ SSL authentication
Posted by Igor Galić <i....@brainsware.org>.
----- "Anthony Kowalick" <bt...@skidmore.edu> wrote:
> Igor,
>
> Thanks for the response.
>
> My only issue with your response is that specifying the exact folder
> name
> /secure isnt an option. Here's why
>
> We allow users to create any directory name they want with the
> understanding
> that if they name the folder ending with "login-only" that it will be
> a
> protected folder
>
> So Joe User comes along and wants a secure folder for his pages.
>
> Www.mydomain.com/coolsubfolder/secretstuff-login-only/
>
> Since he put "login-only" at the end we have httpd set up to force any
> user
> to authenticate to our ldap.
>
> Here is what our httpd.conf says
put this in the HTTPS (only) vhost.
> <Directory ~ "login-only">
> AddHandler cgi-script .cgi
> Options +ExecCGI +Includes Indexes FollowSymLinks
Don't do that.
http://onlamp.com/pub/a/apache/2005/09/08/apacheckbk.html
> AllowOverride None
> Order allow,deny
> Allow from all
> AuthType Basic
> AuthName "LDAP Authentication"
> AuthBasicProvider ldap
> AuthzLDAPAuthoritative off
> AuthLDAPBindDN "xxxxxx"
> AuthLDAPBindPassword "xxxxxxxxx"
> AuthLDAPURL "ldap://xxxxxx"
> require valid-user
> </Directory>
>
> At least this is my understanding. I didn't code any of this, just
> inherited
> the issue.
>
> Appreciate your time and help.
Still the setup shouldn't change much from what I suggested
# in the HTTP vhost:
RedirectMatch permananet ^/(.+-login-only)(/.*)? https://www.mydomain.com/$1$2
After doing the changes I suggested, can you specifiy:
What exactly is happening and in what way does it differ
from what you want to be happening?
> Thanks,
> Tony
i
--
Igor Galić
Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Noobie Htaccess/ SSL authentication
Posted by Anthony Kowalick <bt...@skidmore.edu>.
Igor,
Thanks for the response.
My only issue with your response is that specifying the exact folder name
/secure isnt an option. Here's why
We allow users to create any directory name they want with the understanding
that if they name the folder ending with "login-only" that it will be a
protected folder
So Joe User comes along and wants a secure folder for his pages.
Www.mydomain.com/coolsubfolder/secretstuff-login-only/
Since he put "login-only" at the end we have httpd set up to force any user
to authenticate to our ldap.
Here is what our httpd.conf says
<Directory ~ "login-only">
AddHandler cgi-script .cgi
Options +ExecCGI +Includes Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
AuthType Basic
AuthName "LDAP Authentication"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPBindDN "xxxxxx"
AuthLDAPBindPassword "xxxxxxxxx"
AuthLDAPURL "ldap://xxxxxx"
require valid-user
</Directory>
At least this is my understanding. I didn't code any of this, just inherited
the issue.
Appreciate your time and help.
Thanks,
Tony
On 12/9/10 1:56 PM, "Igor Galić" <i....@brainsware.org> wrote:
>
> ----- "Anthony Kowalick" <bt...@skidmore.edu> wrote:
>
>> Excuse me for my ignorance on Apache up front and sorry if this email
>> is duplicated....
>>
>> Here Is my situation (hopefully Im explaining it correctly).
>>
>> We have an apache 2 server, using AuthLDAP for htaccess user/pass.
>
> Lets hear what #httpd Channel bot fajita has to say about that:
>
> <fajita> Don't confuse htaccess with password-protection. The
> purpose of htaccess is to enable users to configure apache
> locally for their own directories, when they have no privilege
> to do so in httpd.conf. Using htaccess slows the server. Also
> rewriterules and redirects are more complex in htaccess
>
>> I am trying to set it up so that if a user goes to a page which
>> requires
>> authentication that that htaccess login is forced to to HTTPS/SSL so
>> it=B9s
>> not clear text.
>>
>> For example.(folder names are not specific, examples only)
>>
>> http://Www.mydomain.com/secure
>>
>> This page requires LDAP auth but since the user didn=B9t type HTTPS
>> its clear
>> text.
>>
>> How can I force Apache to say OK, this isnt HTTPS, redirect to HTTPS
>> and
>> then pop the login box and its not clear text?
>>
>> I have tried all of these below
>>
>> * RewriteCond %{SERVER_PORT} !^443$ RewriteRule .*
>> https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
>> This pops the login box but only after it shows the content of the
>> page
>> first. =B3hello world=B2
>>
>> * SSLOptions +StrictRequire
>> SSLRequireSSL
>> SSLRequire %{HTTP_HOST} eq "mydomain.com"
>> This fails to load any page if the user doesn=B9t explicitly type
>> HTTPS in
>> browser.
>>
>> So what I=B9m looking to do is say:
>>
>> User types in http://www.mydomain.com/secure
>>
>> Apache says OK, that folder requires AUTH, lets first go to HTTPS,
>> require
>> LDAP login then show the page.
>
> Maybe I can break this down to something resonable:
>
> <VirtualHost *:80>
> ServerName www.mydomain.com
> DocumentRoot /srv/web/www.mydomain.com/htdocs
> Redirect permanent /secure https://www.mydomain.com/secure
> </VirtualHost>
>
> <VirtualHost *:443>
> ServerName www.mydomain.com
> DocumentRoot /srv/web/www.mydomain.com/htdocs
>
> SSLEngine On
> OtherSSLOptions
>
> <Location /secure>
> AuthStuffHere
> </Location>
> </VirtualHost>
>
>
>> Hope this makes sense.
>
> So do I.
>
>> Regards,
>> Tony
>
> i
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Noobie Htaccess/ SSL authentication
Posted by Igor Galić <i....@brainsware.org>.
----- "Anthony Kowalick" <bt...@skidmore.edu> wrote:
> Excuse me for my ignorance on Apache up front and sorry if this email
> is duplicated....
>
> Here Is my situation (hopefully Im explaining it correctly).
>
> We have an apache 2 server, using AuthLDAP for htaccess user/pass.
Lets hear what #httpd Channel bot fajita has to say about that:
<fajita> Don't confuse htaccess with password-protection. The
purpose of htaccess is to enable users to configure apache
locally for their own directories, when they have no privilege
to do so in httpd.conf. Using htaccess slows the server. Also
rewriterules and redirects are more complex in htaccess
> I am trying to set it up so that if a user goes to a page which
> requires
> authentication that that htaccess login is forced to to HTTPS/SSL so
> it=B9s
> not clear text.
>
> For example.(folder names are not specific, examples only)
>
> http://Www.mydomain.com/secure
>
> This page requires LDAP auth but since the user didn=B9t type HTTPS
> its clear
> text.
>
> How can I force Apache to say OK, this isnt HTTPS, redirect to HTTPS
> and
> then pop the login box and its not clear text?
>
> I have tried all of these below
>
> * RewriteCond %{SERVER_PORT} !^443$ RewriteRule .*
> https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
> This pops the login box but only after it shows the content of the
> page
> first. =B3hello world=B2
>
> * SSLOptions +StrictRequire
> SSLRequireSSL
> SSLRequire %{HTTP_HOST} eq "mydomain.com"
> This fails to load any page if the user doesn=B9t explicitly type
> HTTPS in
> browser.
>
> So what I=B9m looking to do is say:
>
> User types in http://www.mydomain.com/secure
>
> Apache says OK, that folder requires AUTH, lets first go to HTTPS,
> require
> LDAP login then show the page.
Maybe I can break this down to something resonable:
<VirtualHost *:80>
ServerName www.mydomain.com
DocumentRoot /srv/web/www.mydomain.com/htdocs
Redirect permanent /secure https://www.mydomain.com/secure
</VirtualHost>
<VirtualHost *:443>
ServerName www.mydomain.com
DocumentRoot /srv/web/www.mydomain.com/htdocs
SSLEngine On
OtherSSLOptions
<Location /secure>
AuthStuffHere
</Location>
</VirtualHost>
> Hope this makes sense.
So do I.
> Regards,
> Tony
i
--
Igor Galić
Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org