9

I have a development site up that requires a username and password (basic http auth) before the user can see the site. I'd like to redirect to a secure protocol first, before the user can send in the password in clear text. Any thoughts on how to do this using Apache? I have access to the conf and .htaccess files.

The end results would be:

http://xxxx/ -- When user goes here, they get immediately redirected to https:

https -- When user gets here, they get prompted for username / password.

Jay
  • 193
  • 1
  • 5

6 Answers6

7

Regardless of how you have the SSL vhost configured, I'd use this configuration for the non-SSL vhost:

<VirtualHost *:80>
    ServerName www.sitename.com
    ServerAlias sitename.com others-if-you-like.com
    ServerAdmin webmaster@sitename.com

    RedirectMatch ^/(.*)    https://www.sitename.com/$1 [L,R]

</VirtualHost>

Add lines for your logging, too, but nothing else is needed. Everything will be redirected permantently to the https:// URL, and the SSL site's .htaccess or other access control stuff won't be handled until after the redirect.

Rob F
  • 386
  • 1
  • 6
4

You can use the redirect directive on http virtualhost to redirect to the https site where authentification is done. You could also use mod_rewrite to do the redirection. The basic things is just to not set authentification on http virtualhost and redirect everything on the https virtualhost where authentication is done.

radius
  • 9,545
  • 23
  • 45
  • The issue is these are the same host, domains are the same. Is there a way in the .htaccess to say only apply the auth if https is set? – Jay Oct 16 '09 at 21:36
  • 1
    Sadly this can only be done in a virtualhost, as apache doesn't provide a way to apply different configuration per request at the .htaccess level. You can use the different virtualhosts on different ports to do things differently. – David Pashley Oct 16 '09 at 22:36
  • Yes, you need to use 2 virtual host like and and not only one – radius Oct 16 '09 at 23:04
  • While I was hoping to be able to do this in .htaccess, looks like you guys are right, the only way is in the conf files, so I set it up to redirect http to https. Auth is still taken care of in the .htaccess, which is run only when accessing the https site now. Keeping auth in .htaccess has the benefit that if redirection fails for any reason, auth is still used. – Jay Oct 17 '09 at 17:37
1

Our client's webapp is installed in his webuser directory. Authorisation is handled before mod_rewrite rules (https://serverfault.com/a/443185/253111), and we could not get the accepted answer to work, so mod_rewrite seemed not an option.

Eventually we explicitly required SSL and used the webapp's root over HTTPS as 403 and 404 error documents. So when one visits any page over HTTP (which is unauthorized, hence the 403) or a non existing page (404), he is being redirected to ie. https://DOMAIN.TLD/~WEBUSER/admin.

This is the .htaccess file with some extra info in the comments.

### INFO: Rewrites and redirects are handled after authorisation
### @link https://serverfault.com/a/443185/253111

### INFO: Log out of a HTPASSWD session
### This was not always possible, but Firefox and Chrome seem to end sessions
### when a new one is trying to be using ie.:
### https://logout:logout@DOMAIN.TLD/~WEBUSER/
### @link http://stackoverflow.com/a/1163884/328272

### FORCE SSL: Explicitly require the SSL certificate of a certain domain to
### disallow ie. unsigned certificates. ErrorDocument's are used to redirect
### the user to an HTTPS URL.
### @link http://forum.powweb.com/showthread.php?t=61566
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire  %{HTTP_HOST} eq "DOMAIN.TLD"

### HTPASSWD AUTHENTICATION
AuthUserFile /var/www/vhosts/DOMAIN.TLD/web_users/WEBUSER/.htpasswd
AuthType Basic
AuthName "Hello"
Require valid-user

### ERROR DOCUMENTS: Redirect user in case of a 403 / 404.
ErrorDocument 403 https://DOMAIN.TLD/~WEBUSER/admin
ErrorDocument 404 https://DOMAIN.TLD/~WEBUSER/admin
lmeurs
  • 111
  • 2
  • This is a nice solution for hosted website, i.e., sites where one is not allowed to edit Apache settings but only .htaccess files. – masgo Dec 02 '19 at 13:29
0

From this post I learned about using <If> in .htaccess for Apache 2.4+:

<If "%{HTTPS} != 'on'">
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</If>
<Else>
AuthType Basic
AuthName "Login"
AuthUserFile /path/to/auth/file
Require valid-user
</Else>

That said, if you have an http version of the site at all, there’s nothing you can do to stop a misconfigured client from accidentally sending the plaintext password in its initial unencrypted request.

andrew.n
  • 130
  • 3
0

You can also see that blog entry here which explains how to do this with SSLRequireSSL, a custom ErrorDocument 403 directive which points to a perl script which redirects to the correct HTTPS url.

Anthony O.
  • 674
  • 1
  • 5
  • 13
-1

If I recall correctly, http basic authentication is done at the initial handshake before the SSL session is established. So even if you are logging into an SSL server the basic authentication is done in plaintext. That has been one of the longstanding issues with basic authentication. Perhaps one of the other http authentication methods deals with this. It's been a long time since I've looked at this.

Gary B
  • 1
  • 2
    This is not true. HTTP Auth data is transmitted in the headers of the request, which is done after SSL negotiation. "Basic authentication across an SSL connection, however, will be secure, since everything is going to be encrypted, including the username and password." - http://httpd.apache.org/docs/1.3/howto/auth.html#basiccaveat – Jay Mar 07 '11 at 14:00