You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Michele Marcionelli <mi...@math.ethz.ch> on 2003/11/12 13:35:09 UTC
[users@httpd] %{HTTP:Authorization}
Hi,
I'm using Apache 2.0.40 on Red Hat Linux 9.
I want to use a rewrite condition to redirect all HTTP authentications to a
secure connection (SSL, https).
What shall I do? I tryed the following rewiterule:
RewriteCond %{HTTP:Authorization} ^.+
RewriteRule ^(.*) https://%{HTTP_HOST}$1 [R,L]
This does't work correctly. What happend is the following:
1. I'm asked to enter (on http) username and password
2. the RewriteCond matched the condition and switch to https
3. I'm asked again to enter username and password again (!!)
The problem is (1.)... the password is sent over http and not https.
Can someone help me?
Cheers,
Michele
--
Michele Marcionelli - webmaster@math - Phone: +41 1 632 6193
Address: HG G 14 - Rämistrasse 101 - 8092 Zürich - Switzerland
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] %{HTTP:Authorization}
Posted by Michele Marcionelli <mi...@math.ethz.ch>.
> Hmm.. So everybody decides for him/herself if the files in a certain dir
> need authentication.. They probably do that with .htaccess files, don't
> they? Let them put a thing like
>
> RewriteCond %{SERVER_PROTOCOL}% ^HTTP$
> RewriteRule (.*) https://%{SERVER_NAME} [R,L]
>
> In THEIR .htaccess files as well..
The authentication is managed by zope and not by apache (with
.htaccess)... I don't know what happen in zope's backgroung :(
Your solution can unfortunately not be applied...
Cheers,
Michele
--
Michele Marcionelli - webmaster@math - Phone: +41 1 632 6193
Address: HG G 14 - Rämistrasse 101 - 8092 Zürich - Switzerland
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] %{HTTP:Authorization}
Posted by Michele Marcionelli <mi...@math.ethz.ch>.
> Unfortunately I have no examples of this ..
Yes... unfortunately! But at least now I have more stuff to work on it...
thanks!!
Cheers,
Michele
--
Michele Marcionelli - webmaster@math - Phone: +41 1 632 6193
Address: HG G 14 - Rämistrasse 101 - 8092 Zürich - Switzerland
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] %{HTTP:Authorization}
Posted by Michele Marcionelli <mi...@math.ethz.ch>.
>> What about a RewriteCond that looks for the status code 401?
>>
>> RewriteCond is_status_code_401
>> RewriteRule ...
>>
>> Is this possible? If "yes"... how?
>
> Sadly, there is no available variable for the status. Makes sense, as the
> rewrite conds/rules runs before the status is determined.
>
> A possible workaround is to set an error document that can take care of
> it.
> Eg:
>
> # non-SSL
> <VirtualHost *:80>
> ErrorDocument 401 /send_client_to_https.php
> ...
> </VirtualHost>
>
> # /send_client_to_https.php
> <?php
> $servername = $_SERVER['SERVER_NAME'];
> $path = $_SERVER['REQUEST_URI'];
> header("Location: https://$server$path");
> exit;
> ?>
>
> You could of course implement this in any CGI (or semi-CGI) language. You
> could also incorporate logic, that can determine if a redirect is really
> wanted in the particular request.
Great!!!!
I will try this workaround... not very elegant ;-) but it should work.
Thanks a lot... I will give you a feedback!
Cheers,
Michele
--
Michele Marcionelli - webmaster@math - Phone: +41 1 632 6193
Address: HG G 14 - Rämistrasse 101 - 8092 Zürich - Switzerland
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] %{HTTP:Authorization}
Posted by Wouter van Vliet <wo...@springt.nl>.
Ehmmmm .... Michele, listen to Robert .. He's much smarter than I am :D
(I didn't know about the error_document being sent every time.)
> -----Original Message-----
> From: Robert Andersson [mailto:robert@profundis.nu]
> Sent: woensdag 12 november 2003 15:50
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] %{HTTP:Authorization}
>
> Wouter van Vliet wrote:
> > Hmmm .. What if you don't set up an ErrorDocument, since it
> will never
> > reach the client unless the client sends an invalid
> password three times.
>
> Apache always sends the error document. Apache do not keep
> count on how many times authorization fails, it is the client
> that after, usually, 3 times gives up and finally displays
> the error document Apache have been sending all along. This
> fact, is often considered a weakness in Basic Authentication,
> because it makes the server vunerable to dictionary attacks.
>
> > Though this triggered me think a certain way. When you're
> able to run
> > your scripts in mod_perl environment you can define a custom
> > 'Handler', which is usually a perl class. This handler might know
> > about the status code from where you can redirect to the https
> > environment. And if not, just fire a subrequest.
>
> Yep. I have not used mod_perl very much, but I deem that it
> would be possible as well.
>
> A comment on my last suggestion. You can probably save
> yourself from having a real error document. Because Apache
> will invoke a sub request to deliver the error document, you
> can probably catch that request with mod_rewrite and send
> away the client.
>
> Regards,
> Robert Andersson
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] %{HTTP:Authorization}
Posted by Robert Andersson <ro...@profundis.nu>.
Wouter van Vliet wrote:
> Hmmm .. What if you don't set up an ErrorDocument, since it will never
> reach the client unless the client sends an invalid password three times.
Apache always sends the error document. Apache do not keep count on how many
times authorization fails, it is the client that after, usually, 3 times
gives up and finally displays the error document Apache have been sending
all along. This fact, is often considered a weakness in Basic
Authentication, because it makes the server vunerable to dictionary attacks.
> Though this triggered me think a certain way. When you're able to run
> your scripts in mod_perl environment you can define a custom 'Handler',
> which is usually a perl class. This handler might know about the status
> code from where you can redirect to the https environment. And if not,
> just fire a subrequest.
Yep. I have not used mod_perl very much, but I deem that it would be
possible as well.
A comment on my last suggestion. You can probably save yourself from having
a real error document. Because Apache will invoke a sub request to deliver
the error document, you can probably catch that request with mod_rewrite and
send away the client.
Regards,
Robert Andersson
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] %{HTTP:Authorization}
Posted by Wouter van Vliet <wo...@springt.nl>.
>
> Michele Marcionelli wrote:
> > What about a RewriteCond that looks for the status code 401?
> >
> > RewriteCond is_status_code_401
> > RewriteRule ...
> >
> > Is this possible? If "yes"... how?
>
> Sadly, there is no available variable for the status. Makes
> sense, as the rewrite conds/rules runs before the status is
> determined.
>
(..)
>
> You could of course implement this in any CGI (or semi-CGI)
> language. You could also incorporate logic, that can
> determine if a redirect is really wanted in the particular request.
>
> Regards,
> Robert Andersson
>
Hmmm .. What if you don't set up an ErrorDocument, since it will never reach
the client unless the client sends an invalid password three times. Though
this triggered me think a certain way. When you're able to run your scripts
in mod_perl environment you can define a custom 'Handler', which is usually
a perl class. This handler might know about the status code from where you
can redirect to the https environment. And if not, just fire a subrequest.
Unfortunately I have no examples of this ..
Wouter
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] %{HTTP:Authorization}
Posted by Robert Andersson <ro...@profundis.nu>.
Michele Marcionelli wrote:
> What about a RewriteCond that looks for the status code 401?
>
> RewriteCond is_status_code_401
> RewriteRule ...
>
> Is this possible? If "yes"... how?
Sadly, there is no available variable for the status. Makes sense, as the
rewrite conds/rules runs before the status is determined.
A possible workaround is to set an error document that can take care of it.
Eg:
# non-SSL
<VirtualHost *:80>
ErrorDocument 401 /send_client_to_https.php
...
</VirtualHost>
# /send_client_to_https.php
<?php
$servername = $_SERVER['SERVER_NAME'];
$path = $_SERVER['REQUEST_URI'];
header("Location: https://$server$path");
exit;
?>
You could of course implement this in any CGI (or semi-CGI) language. You
could also incorporate logic, that can determine if a redirect is really
wanted in the particular request.
Regards,
Robert Andersson
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] %{HTTP:Authorization}
Posted by Michele Marcionelli <mi...@math.ethz.ch>.
> Authorization/authentication generally work like this. Say we have
> /keepout
> protected with basic authentication.
> 1) Client sends request for /keepout
> 2) Apache sends a 401 Authentication Required to the client
> 3) Client asks user for username/password
> 4) Client re-sends the request for /keepout, but now with the
> appropriate header set.
> 5) If the credentials were correct, Apache will send the resource.
> 6) Further access to resources in the same "authentication realm", will
> also require the client to send the credentials with each request, but
> it will usually remember them and not bother the user all the time.
What about a RewriteCond that looks for the status code 401?
RewriteCond is_status_code_401
RewriteRule ...
Is this possible? If "yes"... how?
Cheers,
Michele
--
Michele Marcionelli - webmaster@math - Phone: +41 1 632 6193
Address: HG G 14 - Rämistrasse 101 - 8092 Zürich - Switzerland
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] %{HTTP:Authorization}
Posted by Robert Andersson <ro...@profundis.nu>.
Michele Marcionelli
> Do you think that the rewrite condition
>
> RewriteCond %{HTTP:Authorization} ^.+
>
> behaves correctly?
Yes, I do. But it is not the right tool for you. That variable expands to
the content of the Authorization header sent with the request. This header
contains the credentials for accessing the resource, and if the client sends
it, the user has already been asked.
Authorization/authentication generally work like this. Say we have /keepout
protected with basic authentication.
1) Client sends request for /keepout
2) Apache sends a 401 Authentication Required to the client
3) Client asks user for username/password
4) Client re-sends the request for /keepout, but now with the
appropriate header set.
5) If the credentials were correct, Apache will send the resource.
6) Further access to resources in the same "authentication realm", will
also require the client to send the credentials with each request, but
it will usually remember them and not bother the user all the time.
I am not familiar with your environment, and this sounds awfully messy to
get around. Just understand that if a resource, from Apache's point-of-view,
is protected, it will not work as you want.
You must somehow make Apache think that the directory isn't protected in the
non-SSL vhost. You might do it with: Order deny,allow ; Allow from all ;
Satisfy any. Perhaps use AllowOverride -AuthConfig, to disable the .htaccess
file's protection.
I am sorry to say, that I think you will a *very* hard time getting this to
work with your setup.
There might be some way to determine if a certain directory is protected and
redirect before authentication rules kicks in. I don't know how this could
be done, and I am sceptic to if it is at all possible.
Regards,
Robert Andersson
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] %{HTTP:Authorization}
Posted by Wouter van Vliet <wo...@springt.nl>.
> >
> > I will assume that you have two virtual hosts: one non-SSL, and one
> > SSL, both sharing the same document root, and a particular
> directory
> > tree requires authentication. Something like this could work:
> >
> > <VirtualHost *:80>
> > ServerName xxx
> > DocumentRoot /path/to/docroot
> > # Could possibly be a Location block instead
> > <Directory /path/to/docroot/secret>
> > # Could also be Redirect or RedirectMatch
> > RewriteRule (.*) https://%{SERVER_NAME} [R,L]
> > </Directory>
> > ...
> > </VirtualHost>
> >
> > <VirtualHost 1.2.3.4:443>
> > ServerName xxx
> > DocumentRoot /path/to/docroot
> > <Directory /path/to/docroot/secret>
> > # Authentication stuff
> > AuthType basic
> > ...
> > Require valid-user
> > </Directory>
> > ...
> > </VirtualHost>
> >
> > Be sure to not have a .htaccess file in the directory.
> >
> > If this doesn't work for you, you need to give much more
> details about
> > your setup.
> >
> > Regards,
> > Robert Andersson
>
> Your solution would work fine if we had only a finite (fixed)
> number of directory trees to protect. But since we use apache
> mainly as a proxy and cache server for our zope server, where
> every 'editor' can decide if a particular page (or subtree)
> will be protected or not with a password, your suggestion
> can't be applied. Do you have other ideas?
>
> Do you think that the rewrite condition
>
> RewriteCond %{HTTP:Authorization} ^.+
>
> behaves correctly? If you have a look in the rewrite-logfile
> you see that when you are asked for a password (but before to
> submit it) the value of %{HTTP:Authorization} is still an
> empty string :-((
>
> Thanks and cheers,
> Michele
>
Hmm.. So everybody decides for him/herself if the files in a certain dir
need authentication.. They probably do that with .htaccess files, don't
they? Let them put a thing like
RewriteCond %{SERVER_PROTOCOL}% ^HTTP$
RewriteRule (.*) https://%{SERVER_NAME} [R,L]
In THEIR .htaccess files as well..
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] %{HTTP:Authorization}
Posted by Michele Marcionelli <mi...@math.ethz.ch>.
Hi Robert,
> Michele Marcionelli wrote:
>> What shall I do? I tryed the following rewiterule:
>>
>> RewriteCond %{HTTP:Authorization} ^.+
>> RewriteRule ^(.*) https://%{HTTP_HOST}$1 [R,L]
>>
>> This does't work correctly. What happend is the following:
>>
>> 1. I'm asked to enter (on http) username and password
>> 2. the RewriteCond matched the condition and switch to https
>> 3. I'm asked again to enter username and password again (!!)
>
> Of course it does. You need to redirect before asking for authentication.
> If
> you protect the directory/location in the non-SSL host, you will get asked
> for credentials before getting redirected.
>
> I will assume that you have two virtual hosts: one non-SSL, and one SSL,
> both sharing the same document root, and a particular directory tree
> requires authentication. Something like this could work:
>
> <VirtualHost *:80>
> ServerName xxx
> DocumentRoot /path/to/docroot
> # Could possibly be a Location block instead
> <Directory /path/to/docroot/secret>
> # Could also be Redirect or RedirectMatch
> RewriteRule (.*) https://%{SERVER_NAME} [R,L]
> </Directory>
> ...
> </VirtualHost>
>
> <VirtualHost 1.2.3.4:443>
> ServerName xxx
> DocumentRoot /path/to/docroot
> <Directory /path/to/docroot/secret>
> # Authentication stuff
> AuthType basic
> ...
> Require valid-user
> </Directory>
> ...
> </VirtualHost>
>
> Be sure to not have a .htaccess file in the directory.
>
> If this doesn't work for you, you need to give much more details about
> your
> setup.
>
> Regards,
> Robert Andersson
Your solution would work fine if we had only a finite (fixed) number of
directory trees to protect. But since we use apache mainly as a proxy and
cache server for our zope server, where every 'editor' can decide if a
particular page (or subtree) will be protected or not with a password,
your suggestion can't be applied. Do you have other ideas?
Do you think that the rewrite condition
RewriteCond %{HTTP:Authorization} ^.+
behaves correctly? If you have a look in the rewrite-logfile you see that
when you are asked for a password (but before to submit it) the value of
%{HTTP:Authorization} is still an empty string :-((
Thanks and cheers,
Michele
--
Michele Marcionelli - webmaster@math - Phone: +41 1 632 6193
Address: HG G 14 - Rämistrasse 101 - 8092 Zürich - Switzerland
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] %{HTTP:Authorization}
Posted by Robert Andersson <ro...@profundis.nu>.
Michele Marcionelli wrote:
> What shall I do? I tryed the following rewiterule:
>
> RewriteCond %{HTTP:Authorization} ^.+
> RewriteRule ^(.*) https://%{HTTP_HOST}$1 [R,L]
>
> This does't work correctly. What happend is the following:
>
> 1. I'm asked to enter (on http) username and password
> 2. the RewriteCond matched the condition and switch to https
> 3. I'm asked again to enter username and password again (!!)
Of course it does. You need to redirect before asking for authentication. If
you protect the directory/location in the non-SSL host, you will get asked
for credentials before getting redirected.
I will assume that you have two virtual hosts: one non-SSL, and one SSL,
both sharing the same document root, and a particular directory tree
requires authentication. Something like this could work:
<VirtualHost *:80>
ServerName xxx
DocumentRoot /path/to/docroot
# Could possibly be a Location block instead
<Directory /path/to/docroot/secret>
# Could also be Redirect or RedirectMatch
RewriteRule (.*) https://%{SERVER_NAME} [R,L]
</Directory>
...
</VirtualHost>
<VirtualHost 1.2.3.4:443>
ServerName xxx
DocumentRoot /path/to/docroot
<Directory /path/to/docroot/secret>
# Authentication stuff
AuthType basic
...
Require valid-user
</Directory>
...
</VirtualHost>
Be sure to not have a .htaccess file in the directory.
If this doesn't work for you, you need to give much more details about your
setup.
Regards,
Robert Andersson
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org