httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jsl...@gmail.com>
Subject Re: [users@httpd] SSL and AuthType Basic
Date Tue, 23 Aug 2005 13:23:29 GMT
On 8/22/05, Ashley Gould <agould@ucop.edu> wrote:
> I want to force use of https on directories where authentication is
> required to avoid sending htpasswords in the clear.  Example:
> 
> <Directory /web/www-data/blah/blah>
>     RewriteEngine        on
>     RewriteCond          %{HTTPS} !=on
>     RewriteRule     (.*) https://www.ucop.edu/blah/blah/$1 [R]
> 
>     AuthType Basic
>     AuthName "Restricted Area"
>     AuthUserFile /usr/local/etc/httpd/htpasswd
>     AuthGroupFile /usr/local/etc/httpd/htgroup
>     Require group admins
> </Directory>
> 
> 
> This seems to work fine.  As soon as I authenticate, I'm pushed into
> https.  But is the authentication itself actually encrypted?  What is
> apache's behavior in this case?

I'm not an expert, and you should confirm this yourself by looking at
the actual data going over the wire, but I believe that apache httpd
will do the auth first, then the redirect, then the auth should be
requested again.  The first one goes in plain text and the second one
is encrypted.

To prevent this, put the auth stuff inside the ssl <VirtualHost> section.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message