Re: Rewrite Rules, SSL, and .htaccess

From: Jeremy Miller (jm_at_gblx.net)
Date: 03/25/04

Next message: Jeff Bollinger: "Re: Rewrite Rules, SSL, and .htaccess"

Previous message: Peter H. Lemieux: "Re: Rewrite Rules, SSL, and .htaccess"
In reply to: davec: "Rewrite Rules, SSL, and .htaccess"
Next in thread: Jeff Bollinger: "Re: Rewrite Rules, SSL, and .htaccess"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 25 Mar 2004 11:25:33 -0700
To: davec <davec@webpipe.net>

davec wrote the following on 03/24/04 23:47:
> Hi,
> I have a .htaccess file protecting a certain directory on my site. When
> I tried using the following Apache redirect, I was prompted for my
> password once on the http version, and once on the https version:
> <VirtualHost 192.168.3.7:80>
> Redirect / https://www.mydomain.com/
> </VirtualHost>
> The point of using SSL on the password protected directory is to protect
> the password from being passed in clear text. I think that a RewriteRule
> would probably do the trick, but after reading the apache documentation
> (version 2.0.40) I have still not been able to set one up that works
> properly for the various ways of accessing the site such as
> http://www.mydomain.com/dir or www.mydomain.com/dir or mydomain.com/dir
> or http://www.mydomain.com/dir/index.html etc.
> Any suggestions?
> Thanks,
> Dave
>
>

I've got a similar setup on a box running apache 1.3.26 here's what I do:

<VirtualHost _default_:443>
...
  DocumentRoot "/usr/local/website"
  ServerName myhost.org
...
  <Directory "/usr/local/website">
   AuthName "Restricted Area"
   AuthType Basic
   AuthUserFile "/path/to/user/file"
   require user myuser
  </Directory>
...
</VirtualHost>

then in "/usr/local/website/.htaccess" I have:

RewriteEngine on
RewriteBase /usr/local/website
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)?$ https://%{SERVER_NAME}/$1 [L,R]

With this setup any http (80) request to the server like
'http://myhost.org/some/file.html' will first result in the client being
forwarded to https (443), then asked to authenticate (only once) before
being given 'https://myhost.org/some/file.html'

Hope this helps.

-- 
-jm
GPG Key ID: 0x7A245D01

Next message: Jeff Bollinger: "Re: Rewrite Rules, SSL, and .htaccess"

Previous message: Peter H. Lemieux: "Re: Rewrite Rules, SSL, and .htaccess"
In reply to: davec: "Rewrite Rules, SSL, and .htaccess"
Next in thread: Jeff Bollinger: "Re: Rewrite Rules, SSL, and .htaccess"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: IIS
... I agree that both Apache and IIS need hardening and protecting. ... that there will be a new vulnerability found in the not-too-distant ...
(Security-Basics)
Re: Password protection system for web app
... >> Could someone please suggest a very lightweight solution for protecting ... > Depends on what the web server is, ... > let Apache do both the authentication and the directory browsing. ... > and remove the default error page for 403, or auth won't work. ...
(comp.lang.python)
Re: Small Business Server 2003 R2 - OWA
... SBS server? ... "Protecting the world from PSTs and brick backups!" ... This occurs for both http and https. ...
(microsoft.public.exchange.setup)
Re: Foolin an IDS ?
... > is an understanding of the protocols that they are protecting. ... > HTTP, SSL and such. ... I think this is nice paper (about foolin HTTP by Whisker). ...
(Focus-IDS)
Rewrite Rules, SSL, and .htaccess
... I have a .htaccess file protecting a certain directory on my site. ... tried using the following Apache redirect, I was prompted for my password ... once on the http version, and once on the https version: ...
(Focus-Linux)