On Tue, Aug 23, 2005 at 09:23:29AM -0400, Joshua Slive wrote: > On 8/22/05, Ashley Gould <agould@xxxxxxxx> wrote: > > I want to force use of https on directories where authentication is > > required to avoid sending htpasswords in the clear. Example: > > > > <Directory /web/www-data/blah/blah> > > RewriteEngine on > > RewriteCond %{HTTPS} !=on > > RewriteRule (.*) https://www.ucop.edu/blah/blah/$1 [R] > > > > AuthType Basic > > AuthName "Restricted Area" > > AuthUserFile /usr/local/etc/httpd/htpasswd > > AuthGroupFile /usr/local/etc/httpd/htgroup > > Require group admins > > </Directory> > > > > > > This seems to work fine. As soon as I authenticate, I'm pushed into > > https. But is the authentication itself actually encrypted? What is > > apache's behavior in this case? > > I'm not an expert, and you should confirm this yourself by looking at > the actual data going over the wire, but I believe that apache httpd > will do the auth first, then the redirect, then the auth should be > requested again. The first one goes in plain text and the second one > is encrypted. > > To prevent this, put the auth stuff inside the ssl <VirtualHost> section. > > Joshua. I confirmed with ethereal that you are correct. My fix is to place the RewriteRule under the main server config the the AuthType stuff under my ssl vhost. This works correctly, but it will be hard to maintain. There are over 80 such auth required directories. <VirtualHost _default_:80> [...] <Directory /web/www-data/ucal/prop47> RewriteEngine on RewriteCond %{HTTPS} !=on RewriteRule (.*) https://www.ucop.edu/ucal/prop47/$1 [R] </Directory> </VirtualHost> <IfDefine SSL> <VirtualHost _default_:443> [...] <Directory /web/www-data/ucal/prop47> SSLRequireSSL AuthType Basic AuthName "Restricted Area" AuthUserFile /usr/local/etc/httpd/htpasswd Require user piglet </Directory> </VirtualHost> </IfDefine> > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > -- -ashley Did you try poking at it with a stick? --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx