On 8/22/05, Ashley Gould <agould@xxxxxxxx> wrote:
> I want to force use of https on directories where authentication is
> required to avoid sending htpasswords in the clear. Example:
>
> <Directory /web/www-data/blah/blah>
> RewriteEngine on
> RewriteCond %{HTTPS} !=on
> RewriteRule (.*) https://www.ucop.edu/blah/blah/$1 [R]
>
> AuthType Basic
> AuthName "Restricted Area"
> AuthUserFile /usr/local/etc/httpd/htpasswd
> AuthGroupFile /usr/local/etc/httpd/htgroup
> Require group admins
> </Directory>
>
>
> This seems to work fine. As soon as I authenticate, I'm pushed into
> https. But is the authentication itself actually encrypted? What is
> apache's behavior in this case?
I'm not an expert, and you should confirm this yourself by looking at
the actual data going over the wire, but I believe that apache httpd
will do the auth first, then the redirect, then the auth should be
requested again. The first one goes in plain text and the second one
is encrypted.
To prevent this, put the auth stuff inside the ssl <VirtualHost> section.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|