Re: Question about Apache SSL and Rewrites

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Joshua,

Thanks again for responding.  I've decided to use AuthDigest because of the reasons you mentioned below.  However, while messing around some with .htaccess files, I've come across the following situation that I can't seem to figure out how to fix.

So I have the trac/ directory, which is the parent directory of all the Trac projects I have on my machine.  I want users to have to login as soon as they attempt to go to particular project (as opposed to logging in once they click the login link).  I also want to force the use of SSL when at a project's Trac site.  So, in the .htaccess file in my trac/ directory, I have the following:

RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule [^/](.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]

This forces the use of SSL when a user clicks on a link for any Trac project site.  Then, in one of my Trac project's parent directory (foo/ for example), I have the following in the .htaccess file:

AuthType Digest
AuthName "Foo Project"
AuthDigestDomain /foo/ http://localhost/trac/foo/
AuthUserFile /home/bar/.passwd
Require valid-user

This of course requires a login.  Now, the situation I'm coming across is I'm getting two requests for login; one at http://localhost and the other at https://localhost.  So, it looks to me like the authorization request is occurring before the rewrite, then once the redirect happens it's requiring another login because of the change in address (correct?).  Is there any way (short of using the config files rather than .htaccess files) to force the Rewrite to happen first?  Also, would use Redirects rather than Rewrites fix the problem?  I've already tried to use a Redirect (RedirectMatch, actually), but I couldn't get it to work.  If Redirects would fix the problem then any suggestions on how to use a Redirect in the .htaccess file for this situation would be much appreciated!!!

Thanks! -- BTR

On Dec 16, 2007 1:29 PM, Joshua Slive <joshua@xxxxxxxx> wrote:
On Dec 16, 2007 1:06 PM, Bryan Richardson <btricha@xxxxxxxxx> wrote:
> Joshua,
>
> Thanks for responding.  I had planned on looking into AuthDigest anyway, so
> I'll go ahead and do that.  If I end up using AuthDigest, would it then make
> sense to only use SSL when actually logging in?
>

No, digest auth works the same way as basic except that it is much
more difficult to sniff the password on the wire. So you can often get
away without using SSL at all if you use digest.

> Also, just for sake of knowledge, how should I go about adding a Rewrite to
> my SSL host to redirect me to the non-SSL host once I've logged in?

It's essentially the exact opposite of the rewrite for the non-SSL
host (except you don't need the RewriteCond in either case, since the
port is already fixed in the vhost).

RewriteRule !trac/[^/]+/login$ http://%{SERVER_NAME}%{REQUEST_URI} [L,R]

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux