[users@httpd] Inability to force https rewrite before password authentication

[Chris Gorman <ch...@cgnet.ca>]

Hello All,

I have a strange problem here and was wondering if anyone had a solution.
I'm looking to perform a rewrite to https then require the user submit a
username and password.  The idea behind this is that the username and
password are submitted encrypted rather than in plain text.

First off version information
Apache: Server version: Apache/1.3.26 (Unix)
Mod_SSL: 2.8.9 (debian 2.8.9-2.1)

I looked at Ralf Engelschall's presentation from apachecon2000 (ref
http://www.modssl.org/docs/apachecon2000/slide-021-n.html ) which does
have a recipie for what I am looking to accomplish.  The only problem I
have is it doesn't seem to work for me.  The password authentication
happens before the url redirection which isn't desireable in this case.

My configuration

<Directory "/<server-root>/subdir">
    Options Indexes FollowSymLinks
    AllowOverride All
    RewriteEngine        on
    RewriteCond          %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$
    RewriteCond          %{HTTPS} !=on
    RewriteRule          ^/(.*) https://%{SERVER_NAME}/subdir/$1 [R,L]
    SSLOptions +StrictRequire
    SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
    Satisfy any
    Order deny,allow
    deny from all
    allow from 192.168.1.0/255.255.255.0
    AuthName "Restricted Access"
    AuthType Basic
    AuthUserFile <path-to>/passwd
    Require valid-user
</Directory>

Any ideas or suggestions on how I would overcome this obstacle, or reverse
the order of directive processing so the rewrite happens first?

Thanks

Chris



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org