Board index Unix Web Servers

SSL and Auth required, prompts for username BEFORE establishing SSL

SSL and Auth required, prompts for username BEFORE establishing SSL

Post by David Math » Wed, 16 May 2001 07:41:07



I want to set up a directory that has these features:

  1.  accessible only via https
  2.  mod_auth protected (so it will prompt for username/password)
  3.  network restricted

I can get there (almost) with this:

<Directory "/usr/local/apache/htdocs/safe_ssl_auth">
# has to be through https
    Rewri*gine        on
    RewriteCond          %{HTTPS} !=on
    RewriteRule          (.*)$ https://%{SERVER_NAME}/safe_ssl_auth/$1 [R]
# has to be from local subnet
    Order deny,allow
    Deny from all
    Allow from XXX.XXX.0.0/16
#
  Satisfy all
# has to be a valid user
   AuthType             basic
   AuthName             "safe password protected area"
   Require              valid-user
</Directory>

This works properly if a user goes in with:

  https://server/safe_ssl_auth/document.html

and it does a redirect for:

  http://server/safe_ssl_auth/document.html

Unfortunately, it asks for a username/password BEFORE it does the http->https
redirect.  The browser isn't showing the "lock" in place, so I'm assuming
that this first username/password is going unencrypted.  If I restart the
browser it asks for that pair before it puts up the certificate dialog (I'm
using a test server certificate.)  Worse, it asks for the username/password
twice, and it won't get to the encrypted one unless it is fed a correct
pair first!

I've tried putting a mod_auth protected subdirectory within the SSL space,
hoping the "outer" rule would fire first, but it doesn't.  I've also tried
putting <IfDefine HTTPS> around the auth part, but apparently that fires
once at httpd startup and isn't useful in this context.

Is there some way to force httpd to process rules in a specified order or
conditionally?  If it could be forced to do the https rewrite first it
would presumably bail out before it got to the auth pieces.

Note that the URL redirect of http to https for a given directory only
requires:

<Directory "/usr/local/apache/htdocs/ssl_dir">
    Rewri*gine        on
    RewriteCond          %{HTTPS} !=on
    RewriteRule          (.*)$ https://%{SERVER_NAME}/ssl_dir/$1 [R]
</Directory>

This works because the /usr/local/apache/htdocs/ssl_dir is stripped down to
just ssl_dir, but the HTTPS symbol is set.

Thanks,

David Mathog

Manager, sequence analysis facility, biology division, Caltech

 
 
 
Top

SSL and Auth required, prompts for username BEFORE establishing SSL

Post by Paul Rubi » Wed, 16 May 2001 07:59:24



> Unfortunately, it asks for a username/password BEFORE it does the http->https
> redirect.  The browser isn't showing the "lock" in place, so I'm assuming
> that this first username/password is going unencrypted.

It's still encrypted, the browser just doesn't show the lock as soon
as it should.  See the mod_ssl FAQ.

 
 
 
Top

1. When exactly is SSL session established?

Just wondering if the following would be secure:

An HTML form residing on a non-SSL server submits data to a CGI script that
is on an SSL server.

Would this transmission be secure? It seems to me that it might not, since
the browser would send a regular, unencrypted "get" or "post" request to the
server, and the SSL session wouldn't be established until after the data has
already been submitted. So, again, would this be secure?

2. Sftp failure when logged in as user and not root

3. Serving pages from non-SSL server through Netscape SSL

4. creating broswer Sessions with apache

5. Apache-SSL won't compile: Can't find ssl.h!

6. IPv6 mailing list

7. Apache-ssl or mod-ssl?

8. Apache access error

9. Replacing SSL Certficates in Apache mod-ssl

10. Apache-SSL or mod-SSL?

11. Diff between Apache SSL and Mod SSL

12. Mutiple SSL sessions when proxying from SSL server to origin server

13. SSL proxy for clients uncapable of SSL


All times are UTC
Board index