Igor,
Thanks for the response.
My only issue with your response is that specifying the exact folder name
/secure isnt an option. Here's why
We allow users to create any directory name they want with the understanding
that if they name the folder ending with "login-only" that it will be a
protected folder
So Joe User comes along and wants a secure folder for his pages.
Www.mydomain.com/coolsubfolder/secretstuff-login-only/
Since he put "login-only" at the end we have httpd set up to force any user
to authenticate to our ldap.
Here is what our httpd.conf says
<Directory ~ "login-only">
AddHandler cgi-script .cgi
Options +ExecCGI +Includes Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
AuthType Basic
AuthName "LDAP Authentication"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPBindDN "xxxxxx"
AuthLDAPBindPassword "xxxxxxxxx"
AuthLDAPURL "ldap://xxxxxx";
require valid-user
</Directory>
At least this is my understanding. I didn't code any of this, just inherited
the issue.
Appreciate your time and help.
Thanks,
Tony
On 12/9/10 1:56 PM, "Igor Galić" <i.galic@xxxxxxxxxxxxxx> wrote:
>
> ----- "Anthony Kowalick" <btv1==958707bf13f==tkowalic@xxxxxxxxxxxx> wrote:
>
>> Excuse me for my ignorance on Apache up front and sorry if this email
>> is duplicated....
>>
>> Here Is my situation (hopefully Im explaining it correctly).
>>
>> We have an apache 2 server, using AuthLDAP for htaccess user/pass.
>
> Lets hear what #httpd Channel bot fajita has to say about that:
>
> <fajita> Don't confuse htaccess with password-protection. The
> purpose of htaccess is to enable users to configure apache
> locally for their own directories, when they have no privilege
> to do so in httpd.conf. Using htaccess slows the server. Also
> rewriterules and redirects are more complex in htaccess
>
>> I am trying to set it up so that if a user goes to a page which
>> requires
>> authentication that that htaccess login is forced to to HTTPS/SSL so
>> it=B9s
>> not clear text.
>>
>> For example.(folder names are not specific, examples only)
>>
>> http://Www.mydomain.com/secure
>>
>> This page requires LDAP auth but since the user didn=B9t type HTTPS
>> its clear
>> text.
>>
>> How can I force Apache to say OK, this isnt HTTPS, redirect to HTTPS
>> and
>> then pop the login box and its not clear text?
>>
>> I have tried all of these below
>>
>> * RewriteCond %{SERVER_PORT} !^443$ RewriteRule .*
>> https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
>> This pops the login box but only after it shows the content of the
>> page
>> first. =B3hello world=B2
>>
>> * SSLOptions +StrictRequire
>> SSLRequireSSL
>> SSLRequire %{HTTP_HOST} eq "mydomain.com"
>> This fails to load any page if the user doesn=B9t explicitly type
>> HTTPS in
>> browser.
>>
>> So what I=B9m looking to do is say:
>>
>> User types in http://www.mydomain.com/secure
>>
>> Apache says OK, that folder requires AUTH, lets first go to HTTPS,
>> require
>> LDAP login then show the page.
>
> Maybe I can break this down to something resonable:
>
> <VirtualHost *:80>
> ServerName www.mydomain.com
> DocumentRoot /srv/web/www.mydomain.com/htdocs
> Redirect permanent /secure https://www.mydomain.com/secure
> </VirtualHost>
>
> <VirtualHost *:443>
> ServerName www.mydomain.com
> DocumentRoot /srv/web/www.mydomain.com/htdocs
>
> SSLEngine On
> OtherSSLOptions
>
> <Location /secure>
> AuthStuffHere
> </Location>
> </VirtualHost>
>
>
>> Hope this makes sense.
>
> So do I.
>
>> Regards,
>> Tony
>
> i
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|