Re: Question about Apache SSL and Rewrites

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Joshua,

Thanks for responding.  I had planned on looking into AuthDigest anyway, so I'll go ahead and do that.  If I end up using AuthDigest, would it then make sense to only use SSL when actually logging in?

Also, just for sake of knowledge, how should I go about adding a Rewrite to my SSL host to redirect me to the non-SSL host once I've logged in?

Thanks! -- BTR

On Dec 16, 2007 11:01 AM, Joshua Slive < joshua@xxxxxxxx> wrote:
On Dec 16, 2007 12:17 PM, Bryan Richardson < btricha@xxxxxxxxx> wrote:
> Hello all,
>
> I've set up a Trac site on my server, and I'm trying to configure it such
> that when a user attempts to login, SSL is used.  I *think* I've configured
> my rewrites correctly (see below), but after the login occurs the site is
> still using SSL.  I only want to use SSL for the actual act of logging in,
> and nothing else.  Can anyone help me with this?  See my site configuration
> files below for what I have so far.  Thanks!

Basic auth doesn't work that way. The userid and password are
transmitted on EVERY request, not just the when you see the prompt in
the browser. (The browser memorizes the userid/password and resends it
as required.)

So if you want secure authentication with basic, everything needs to
be under SSL.

If you don't want that, your alternatives are digest auth (which is
somewhat more secure than basic) and cookie-based session management.
Cookies are the technique used by most major websites, but they aren't
provided in the standard apache install (because there is no single
standard way to implement cookie-based auth).

To answer your original question of why you aren't redirected back,
its because you didn't add a Rewrite in your SSL host to send you back
to your non-SSL host. But for the above reasons, you don't want to do
that.

>
> P.S. Can anyone tell me what SSLRequireSSL does and if it's actually
> necessary?

It denies any request that is not over an SSL connection. The way you
used it makes no sense because it only applies to requests served by
the SSL vhost, which are obviously under SSL. The typical way to use
it is to put it in the main server config (outside any vhost) to make
sure that requests for certain directories are only served by the SSL
vhost.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux