Re: [users@httpd] SSL and AuthType Basic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 8/22/05, Ashley Gould <agould@xxxxxxxx> wrote:
> I want to force use of https on directories where authentication is
> required to avoid sending htpasswords in the clear.  Example:
> 
> <Directory /web/www-data/blah/blah>
>     RewriteEngine        on
>     RewriteCond          %{HTTPS} !=on
>     RewriteRule     (.*) https://www.ucop.edu/blah/blah/$1 [R]
> 
>     AuthType Basic
>     AuthName "Restricted Area"
>     AuthUserFile /usr/local/etc/httpd/htpasswd
>     AuthGroupFile /usr/local/etc/httpd/htgroup
>     Require group admins
> </Directory>
> 
> 
> This seems to work fine.  As soon as I authenticate, I'm pushed into
> https.  But is the authentication itself actually encrypted?  What is
> apache's behavior in this case?

I'm not an expert, and you should confirm this yourself by looking at
the actual data going over the wire, but I believe that apache httpd
will do the auth first, then the redirect, then the auth should be
requested again.  The first one goes in plain text and the second one
is encrypted.

To prevent this, put the auth stuff inside the ssl <VirtualHost> section.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux