Re: Rewrite Rules, SSL, and .htaccess

From: Jeremy Miller (jm_at_gblx.net)
Date: 03/25/04

  • Next message: Jeff Bollinger: "Re: Rewrite Rules, SSL, and .htaccess"
    Date: Thu, 25 Mar 2004 11:25:33 -0700
    To: davec <davec@webpipe.net>
    
    

    davec wrote the following on 03/24/04 23:47:
    > Hi,
    > I have a .htaccess file protecting a certain directory on my site. When
    > I tried using the following Apache redirect, I was prompted for my
    > password once on the http version, and once on the https version:
    > <VirtualHost 192.168.3.7:80>
    > Redirect / https://www.mydomain.com/
    > </VirtualHost>
    > The point of using SSL on the password protected directory is to protect
    > the password from being passed in clear text. I think that a RewriteRule
    > would probably do the trick, but after reading the apache documentation
    > (version 2.0.40) I have still not been able to set one up that works
    > properly for the various ways of accessing the site such as
    > http://www.mydomain.com/dir or www.mydomain.com/dir or mydomain.com/dir
    > or http://www.mydomain.com/dir/index.html etc.
    > Any suggestions?
    > Thanks,
    > Dave
    >
    >

    I've got a similar setup on a box running apache 1.3.26 here's what I do:

    <VirtualHost _default_:443>
    ...
      DocumentRoot "/usr/local/website"
      ServerName myhost.org
    ...
      <Directory "/usr/local/website">
       AuthName "Restricted Area"
       AuthType Basic
       AuthUserFile "/path/to/user/file"
       require user myuser
      </Directory>
    ...
    </VirtualHost>

    then in "/usr/local/website/.htaccess" I have:

    RewriteEngine on
    RewriteBase /usr/local/website
    RewriteCond %{SERVER_PORT} !^443$
    RewriteRule ^(.*)?$ https://%{SERVER_NAME}/$1 [L,R]

    With this setup any http (80) request to the server like
    'http://myhost.org/some/file.html' will first result in the client being
    forwarded to https (443), then asked to authenticate (only once) before
    being given 'https://myhost.org/some/file.html'

    Hope this helps.

    -- 
    -jm
    GPG Key ID: 0x7A245D01
    

  • Next message: Jeff Bollinger: "Re: Rewrite Rules, SSL, and .htaccess"

    Relevant Pages

    • RE: IIS
      ... I agree that both Apache and IIS need hardening and protecting. ... that there will be a new vulnerability found in the not-too-distant ...
      (Security-Basics)
    • Re: Password protection system for web app
      ... >> Could someone please suggest a very lightweight solution for protecting ... > Depends on what the web server is, ... > let Apache do both the authentication and the directory browsing. ... > and remove the default error page for 403, or auth won't work. ...
      (comp.lang.python)
    • Re: Small Business Server 2003 R2 - OWA
      ... SBS server? ... "Protecting the world from PSTs and brick backups!" ... This occurs for both http and https. ...
      (microsoft.public.exchange.setup)
    • Re: Foolin an IDS ?
      ... > is an understanding of the protocols that they are protecting. ... > HTTP, SSL and such. ... I think this is nice paper (about foolin HTTP by Whisker). ...
      (Focus-IDS)
    • Rewrite Rules, SSL, and .htaccess
      ... I have a .htaccess file protecting a certain directory on my site. ... tried using the following Apache redirect, I was prompted for my password ... once on the http version, and once on the https version: ...
      (Focus-Linux)