You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Paul Reilly <pa...@tcd.ie> on 2009/07/07 19:25:34 UTC
[users@httpd] Redirecting htaccess over SSL, then back to port 80?
Hello,
Is there a recommended solution for redirecting clients which need
to authenticate for .htacess to a secure version of the URL, and then
following succesful authentiction, redirecting them back to the normal
(port 80) URL ?
I've seen code like the following
<Directory "/web/docroot/secure">
SSLOptions +StrictRequire
SSLRequireSSL
ErrorDocument 403 https://myserver.tld/secure
</Directory>
This will enforce the user over HTTPs for the specified folders, but not
send them back to port 80 following authentication.
I don't want to force all web access over HTTPS, just the .htaccess
authentication.
I'm sure this is a Frequently Asked Question, but I have not been able to
find an answer.
Anybody got a solution?
Paul
Re: [users@httpd] Redirecting htaccess over SSL, then back to port
80?
Posted by Aaron Turner <sy...@gmail.com>.
On Tue, Jul 14, 2009 at 6:23 AM, Paul Reilly<pa...@tcd.ie> wrote:
> Getting back to the original subject:
>
>> Assuming you're doing standard HTTP Authentication, it doesn't work
>> that way. Once you get the login popup, every subsequent request by
>> the browser sends the same authentication token (username & password
>> in clear text) to the server.
>
> You're right - the Authentication: header is sent back on subsequent
> requests. However I have done some testing with mod_forensic to log
> which headers the client is sending. These are my findings:
>
> 1. User goes to a page which requires authentication over SSL
> https://mysite/securedir/ - prompted for user/pass.
> Authorization: header added with base64 encoded string
>
> 2. User visits any other pages on same server, over SSL
> Eg: https://mysite.tld/some-other-dir/ and Authorization: header
> stays with them. Browser keeps sending it. That's OK.
>
> 3. User clicks on a link back to the port 80 version of the site.
> http://mysite.tld/index.html - The browser no longer seems to
> send the Authorization: header . It sees the http and https sites
> as different sites.
>
> If this is the case, then would the following approach work?
>
> 1) If detect .htaccess redirect to SSL version of site
> 2) user authenticates over SSL and accesses the pages they are interested
> in.
> 3) At some point, they click a menu link etc, and go back to port 80 and
> password
> is not exposed.
Honestly, I'm not sure if that's part of the HTTP spec or is client
specific (and I'm too lazy to read the RFC's), but I guess the
question really is what do you want to accomplish? What are your
security requirements?
To answer your question, based on the information you have provided,
that would appear to "work".
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety.
-- Benjamin Franklin
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Redirecting htaccess over SSL, then back to port
80?
Posted by Paul Reilly <pa...@tcd.ie>.
Getting back to the original subject:
Assuming you're doing standard HTTP Authentication, it doesn't work
> that way. Once you get the login popup, every subsequent request by
> the browser sends the same authentication token (username & password
> in clear text) to the server.
>
You're right - the Authentication: header is sent back on subsequent
requests. However I have done some testing with mod_forensic to log
which headers the client is sending. These are my findings:
1. User goes to a page which requires authentication over SSL
https://mysite/securedir/ - prompted for user/pass.
Authorization: header added with base64 encoded string
2. User visits any other pages on same server, over SSL
Eg: https://mysite.tld/some-other-dir/ and Authorization: header
stays with them. Browser keeps sending it. That's OK.
3. User clicks on a link back to the port 80 version of the site.
http://mysite.tld/index.html - The browser no longer seems to
send the Authorization: header . It sees the http and https sites
as different sites.
If this is the case, then would the following approach work?
1) If detect .htaccess redirect to SSL version of site
2) user authenticates over SSL and accesses the pages they are interested
in.
3) At some point, they click a menu link etc, and go back to port 80 and
password
is not exposed.
Paul
> Hence, doing SSL for the first request doesn't really add to your
> security since all the other requests would send the username &
> password in clear text (some people think the user & pass are
> "encrypted" but it's really just base64 encoding).
>
> --
> Aaron Turner
> http://synfin.net/
> http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix &
> Windows
> Those who would give up essential Liberty, to purchase a little temporary
> Safety, deserve neither Liberty nor Safety.
> -- Benjamin Franklin
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
--
Paul Reilly
Systems Group
IS Services
Trinity College Dublin
e: paul.reilly@tcd.ie
p: +353-1-896-2152
Re: [users@httpd] Redirecting htaccess over SSL, then back to port
80?
Posted by Aaron Turner <sy...@gmail.com>.
On Tue, Jul 7, 2009 at 10:25 AM, Paul Reilly<pa...@tcd.ie> wrote:
> I don't want to force all web access over HTTPS, just the .htaccess
> authentication.
Assuming you're doing standard HTTP Authentication, it doesn't work
that way. Once you get the login popup, every subsequent request by
the browser sends the same authentication token (username & password
in clear text) to the server.
Hence, doing SSL for the first request doesn't really add to your
security since all the other requests would send the username &
password in clear text (some people think the user & pass are
"encrypted" but it's really just base64 encoding).
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety.
-- Benjamin Franklin
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org