LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 01-03-2010, 04:59 PM   #1
sneakyimp
Member
 
Registered: Dec 2004
Posts: 791

Rep: Reputation: 49
mod_rewrite to force https - password request happening first


I have a folder that is password protected. I want to be certain that passwords, when entered, are encrypted. I have therefore set up a mod_rewrite rule to check for https and, if not found, then redirect. The problem is that I'm being prompted twice for the password and the first time it's over plain http. Here's the .htaccess file in the directory named 'folder':

Code:
# force HTTPS for bookstore folder - this doesn't work
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}/folder [R=301,L]

AuthType Basic
AuthName "secret place"
AuthUserFile "/home/mydomain/passwd"
require valid-user
I was under the impression that the mod_rewrite code, because it appears first in the .htaccess file. Any tips here?
 
Old 01-03-2010, 06:03 PM   #2
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,897

Rep: Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322
Hi,

You have to add:
Code:
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "www.domain.com"
ErrorDocument 403 https://www.domain.com
inside the <Directory /path/to/apache/ssl/folder> definition for the ssl host (assuming that the above is the path you want to redirect your users).
Take a look here for a more detailed explanation.

Regards
 
1 members found this post helpful.
Old 01-03-2010, 06:59 PM   #3
sneakyimp
Member
 
Registered: Dec 2004
Posts: 791

Original Poster
Rep: Reputation: 49
THANKS. I believe this is doing what I want. Let me see if I understand this.

q1: These directives are only allowed when you have mod_ssl installed, correct?

q2: These directives are all permissible in an .htaccess file context (which is where I've added them) ?


Code:
SSLOptions +StrictRequire
I don't fully understand the text describing this directive, but think I understand that it forbids access if the SSLRequire or SSLRequireSSL directives' conditions are not met.

Code:
SSLRequireSSL
This directive requires SSL to be in effect for ALL requests in the current directory and its subdirectories.

Code:
SSLRequire %{HTTP_HOST} eq "www.domain.com"
This directive requires that the HTTP_HOST value *must be* www.domain.com and nothing else. Is it case sensitive?

Code:
ErrorDocument 403 https://www.domain.com
I don't really know what this is doing. Is it somehow connected to the other 3 statements?
 
Old 01-04-2010, 12:37 AM   #4
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,897

Rep: Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322
Quote:
q1: These directives are only allowed when you have mod_ssl installed, correct?
I don't understand what you mean. If you want to use SSL, then you need mod_ssl.
Quote:
q2: These directives are all permissible in an .htaccess file context (which is where I've added them) ?
Yes, they can be used in .htaccess

SSLOptions is like the Options in plain apache, so what "SSLOptions +StrictRequire" does, is to enable StrictRequire. On the other hand StrictRequire means that access is forbidden if the following 2 "require" directives are not satisfied. I think that the domain name should be case insensitive.
Quote:
ErrorDocument 403 https://www.domain.com
I guess this is used, so if you get a 403 error (Forbidden) from the above 2 "require" directives, you still stay in https.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Force use HTTPS on spectacular URL?? wegadnie Linux - Networking 2 04-09-2009 03:31 AM
redirect https request to http after user authentication r.r.vishwanath@gmail.com Linux - Newbie 1 01-31-2009 11:42 AM
mod_rewrite vs https riluve Linux - Software 2 09-05-2007 01:58 PM
mod_rewrite - rule to change http to https Firebar Linux - Server 10 06-05-2007 07:29 AM
Force https on a password protected directory abapdr Linux - Software 1 06-07-2004 04:35 AM


All times are GMT -5. The time now is 02:22 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration