I want to force use of https on directories where authentication is
required to avoid sending htpasswords in the clear. Example:
<Directory /web/www-data/blah/blah>
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule (.*) https://www.ucop.edu/blah/blah/$1 [R]
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /usr/local/etc/httpd/htpasswd
AuthGroupFile /usr/local/etc/httpd/htgroup
Require group admins
</Directory>
This seems to work fine. As soon as I authenticate, I'm pushed into
https. But is the authentication itself actually encrypted? What is
apache's behavior in this case?
p.s. mod_rewrite experts feel free to make suggestions about my rules.
--
-ashley
Did you try poking at it with a stick?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|