2

I have an Apache web server hosted on one.com. The OpenSSL module is active and working. I can manipulate .htaccess and I see the reactions. I want to rely on SSL, and redirection by rewriting works fine. Also, I need user authentication. It works fine with AuthType Basic. There is just one downside: When a user requests http://sub.example.com/non-existent-file (without SSL, of course with my real domain name), they will see a log-in prompt without SSL. Of course, I want to prohibit sending passwords unencrypted. I read, the simplest solution would be to use the SSLRequireSSL directive, but my Apache doesn’t seem to like it. Let me break down the example to reproduce the error. A completely black .htaccess file lets the server provide content on both http and https. If I add only SSLRequireSSL and nothing else into .htaccess, I get an HTTP 500 internal server error.

.htaccess

SSLRequireSSL

→ 500 internal server error

Why is that and how should I use SSLRequireSSL instead?

My complete .htaccess file without SSLRequireSSL:

<IfModule mod_rewrite.c>

    RewriteEngine on
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=307]
    Redirect 307 /index.php /pages/welcome.php

</IfModule>

<IfModule mod_authn_file.c>

    AuthName "Get username and password from admin."
    AuthType Basic
    <if "%{REMOTE_ADDR} -ipmatch '192.168.0.0/24'">
        AuthUserFile /home/user/www/sub.example.com/html/.htpasswd
    </if>
    <else>
        AuthUserFile /customers/1/a/0/example.com/httpd.www/sub/.htpasswd
    </else>
    Require valid-user
    Order deny,allow
    Deny from all
    Allow from 192.168.0.0/24 w3.org googlebot.com
    Satisfy Any

</IfModule>

I could not determine my Apache version. The PHP function apache_get_version() does not exist. php_sapi_name() returns cgi-fcgi. I can access an SSH terminal. There is no command starting with apache… or Apache…. But I suppose Apache is running, because in phpinfo() it tells about a constant $_SERVER['SERVER_SOFTWARE'] set to Apache and $_ENV['SERVER_SOFTWARE'] also set to Apache.

Tils
  • 23
  • 3
  • Executable may be called httpd. or find out which process is listening on port 80 (lsof -Pn). Apache config decides what you can do in htaccess. TLS has already been decoded since Apache knows which file to serve. I somewhat doubt htaccess is the right place to start authentication. – Gerard H. Pille Apr 26 '20 at 05:42
  • Thanks @Gerard. apache*, httpd and lsof commands are not accessible. `netstat -anp | grep :80` gave `tcp6 0 0 :::80 :::* LISTEN -`, so there is no binary name given. `netstat -anp | grep apache` and `netstat -anp | grep httpd`: no results. `netstat -anp | grep tcp` gave empty PID/program name/path details. The host runs Ubuntu, I tried to consult the package manager. apt*, rpm and yum are not accessible. You suggested .htaccess might not be the right place for authentication. Why and what alternative do you suggest? – Tils Apr 27 '20 at 16:50
  • It would be the Apache configuration, probably /etc/apache2/apache2.conf or files included, ./mods-enabled/*.conf and ./sites-enabled/*.conf. Inside a .htaccess, you can only do what the configuration has permitted. – Gerard H. Pille Apr 27 '20 at 17:37
  • Doesn't phpinfo() show you the apache2handler, with ao. Apache Version Apache/2.4.38 (Debian) ? – Gerard H. Pille Apr 27 '20 at 17:40
  • SSLRequireSSL is only allowed in .htaccess if the configuration specifies "AllowOverride AuthConfig". See https://httpd.apache.org/docs/current/howto/htaccess.html – Gerard H. Pille Apr 27 '20 at 18:00
  • In /etc/ there is no directory visible called apache*. There is a file /etc/php_version whose content is “default”. phpinfo() mentions *apache* in only 2 constants: `$_SERVER['SERVER_SOFTWARE'] == 'Apache'` and `$_ENV['SERVER_SOFTWARE'] == 'Apache'`. I suppose, `AllowOverride AuthConfig` should go in the server config. Unfortunately, I don’t even see /etc/apache*/. – Tils Apr 28 '20 at 22:08
  • What OS is this? Any other version files in /etc containing something useful? – Gerard H. Pille Apr 28 '20 at 23:04
  • Upon logging in via ssh, it tells me it's Ubuntu. When I do lsb_release, it says “command not found”. cat /etc/os-release offers a dozen lines about the Ubuntu version → 18.04.4 LTS. Indeed there are configuration files with meaningful content. But I'd have expected a greater number of files and folders in /etc; there are less than 50. – Tils Apr 29 '20 at 01:39
  • Are you logged on as root? – Gerard H. Pille Apr 29 '20 at 04:48
  • I sign in as a restricted user and I cannot elevate by su/sudo: `bash: sudo: command not found`. – Tils Apr 29 '20 at 23:20

1 Answers1

0

This is how I managed it using .htaccess:

RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

<If "%{HTTPS} == 'on'">
    AuthType Basic
    AuthName "Restricted Files"
    AuthBasicProvider file
    AuthUserFile "/var/www/html/secrets/.passwd"
    Require valid-user
</If>
Gerard H. Pille
  • 2,469
  • 1
  • 12
  • 10