You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Duncan Brannen <db...@st-andrews.ac.uk> on 2002/12/03 12:53:02 UTC

[users@httpd] Basic Auth and SSL

Just curious,
	Is there any way to force apache to use SSL any time it's
asking a browser for authentication?  We've a few areas of our web site
where users ask for passwords & it would be nice if I could get apache
to automatically switch to SSL for these areas without the user having to
do it.

Users would often forget the https://  if they had to type it and use http://
anyway.

Cheers,
	Dunk


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Basic Auth and SSL

Posted by Issac Goldstand <ma...@beamartyr.net>.

SSLRequireSSL inside the same location block that does the Auth stuff

  Issac

----- Original Message -----
From: "Duncan Brannen" <db...@st-andrews.ac.uk>
To: <us...@httpd.apache.org>
Sent: Tuesday, December 03, 2002 1:53 PM
Subject: [users@httpd] Basic Auth and SSL


>
> Just curious,
> Is there any way to force apache to use SSL any time it's
> asking a browser for authentication?  We've a few areas of our web site
> where users ask for passwords & it would be nice if I could get apache
> to automatically switch to SSL for these areas without the user having to
> do it.
>
> Users would often forget the https://  if they had to type it and use
http://
> anyway.
>
> Cheers,
> Dunk
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Basic Auth and SSL

Posted by Dirk-Willem van Gulik <di...@webweaving.org>.

On Tue, 3 Dec 2002, Duncan Brannen wrote:

> 	Is there any way to force apache to use SSL any time it's
> asking a browser for authentication?  We've a few areas of our web site
> where users ask for passwords & it would be nice if I could get apache
> to automatically switch to SSL for these areas without the user having to
> do it.
>
> Users would often forget the https://  if they had to type it and use http://
> anyway.

When I am nice I use somethign like

<Directory ....
  or.. VirtualHost .. whatver.. (thouhg see below; directory isbetter)

	# Make rather sure we are using TLS before we start
        # messing with passwords and all that.
        #
        RewriteEngine On
        RewriteCond %{HTTPS} !=on	# or use SSLRequireSSL
					# + error routing depending
					# on threath model
        RewriteRule (.*) https://intranet.asemantics.net/ [R]

and then the usual

	AuthType basic
	...
	require valid user

This is the fairly friendly and not that locked down config which is fine
in an environment where you control the resources and trust the users who
have an account on your system.

If I am not so nice; have a paranoid customer; or just as a precaution I
may defined the above but also put a SSLRequireSSL on the more sensitive
resources as well (say with a very narrow directory or file pointer) - to
trap any errors should someone fiddle with the config.

Do not use this with things like Location or other URI rather than
physical file path avoiding techniques.

Dw.

--
Dirk-Willem van Gulik, Apache Consultancy, The Tribal Knowledge Group.
dirkx@tribalknowledgegroup.com                    http://www.ttkg.com/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org