Hello,

I have 2 web servers on one machine : one is serving using plain http, and the other one uses ssl. They're using the same authentication mecanism (the accounts are the same on both servers). They're on the same domain, only the port is different.

I've really only one site to serve (one set of files), but I need to be able to switch to restrict some parts of the site to use https only.

I managed to make it work with apache2 as two virtual hosts : one with ssl and the other without. But when a user accesses for instance http://myserver/service1 and switches to https://myserver/service1, he is asked to log-in once for each virtual host (hence twice).

How should I do to make both sites ask the user to log-on only once so I can have seamless navigation from one site to another ?

Here's my current configuration :

What I can think of is redirect your http request to https. In this way, there is only 1 single sign on for all, since everyone will be accessing https.

I don't think it's quite that simple. I'm having basically the same problem here:
http://www.linuxquestions.org/questi...35#post2930335

someone suggested something but I don't understand what they mean. They never came back.

Perhaps you should try to use a .htaccess file in the protected directory that contains both the rewrite part and the authentication part:
So the rewrite comes first and then the server asks for the authentication

@ ghostdancer : As I understand it, I don't think it's gonna work because a redirection still need to go through the first http url (the client asked for it), and then the second https one (the server redirects the client to it), and therefore the password will be asked for each of them.

@ bathory : I'll try but I think it falls into the same category than the solution of ghostdancer... If this solution was working (as I understand it), that would mean that any server could redirect to any another one using the same credentials (since the full http:// url is given to the rewrite rule)... I don't believe it's working like that...

Also, I want to be able to access some URL both in http and in https. I don't want only a simple redirection, I want all URL to be accessible independently.

As I understand, InDubio suggests you to put your files in a root that is only served by the ssl server, and create an 'empty' http server in which you will put no authentication, but only the redirections to the https site when needed. That way, the authentication is only made on the https site, and the http site serves only as a 'redirection' gateway to the right pages.

For me it doesn't do it because I really want to share the authentication 'session' (how to call it ?) between the two servers.

I don't believe nobody had this problem before : the servers are on the same domain, same IP, same machine... there must be an easy solution with Apache !

First of all, with AuthType Basic, you should probably NOT be doing anything important without SSL, because AuthType Basic sends passwords unencrypted. (see also http://httpd.apache.org/docs/2.2/howto/auth.html, search for "unencrypted")

You're probably interested in the SSLRequireSSL apache directive. I highly suggest reading the docs on that one too. IIRC, it generates 403's, but a customerror page could probably detect a failed attempt on a protected directory and redirect it to https...

Your browser and apache both won't consider an http and an https session to be the same thing. It's a new network connection, thus it's a new session. The only thing that I know of that _will_ share those credentials is cookies. You might consider an alternative to using apache's auth system, such as using php's ldap auth tools instead.

Thanks a lot complich8 for those very interesting informations !

You're right, actually I've planned to secure it once I'm sure I can use this strategy (maybe using digest with ldap so I can still propose login through http for people behind an aggressive firewall).

Very interesting, I've tried this directive already but I've been misleaded by the 403. I thought it was a problem with my configuration. I'll look further at it.

Ok, I'm bit afraid to have to use an application-level authentication mecanism because a part of my website is hosted by a provider who doesn't provide the ldap library...
Do people usually do it this way (cookies) ?

I *think* there's an intermediate way : to pass the session id to the server on each request. But I don't know if it's reliable and secure. Am I wrong ?


Something is not clear for me : where are logon information stored once logged-in through an Apache auth mecanism ? Are they accessible through the standard variables (e.g. in PHP $_SERVER, $_SESSION) ? Can one deal with both server and client auth mecanism or are they totally separated ?
I would be happy to have a good doc about this, if you have.


Thanks already to give me some good pointers.

I was just wondering this myself, until about half an hour ago - whence I stumbled upon an article in wikipedia about HTTP Basic Auth. I'd post the URL here, but this is my first post to this forum, and it won't let me post a URL unless I ask a question or 'introduce myself'. Oh well... search wikipedia for "basic access authentication".

The wikipedia page seems to be a good, pithy description of how HTTP Basic Auth works. I don't think the PHP variables would be populated with HTTP Basic Auth...?

I'm facing the same sort of situation now, in that I want single sign-on across a number of intranets, using LDAP as the authentication mechanism. I think a session database of some kind is the only way this might be possible, but how to do it, I don't know. I want to have the login page in https, but the intranets themselves accessible through http, once a user is authenticated. I'm thinking that the apache server would recognise that a user is authenticated because the client's browser has a domain cookie (all our intranets are within the same domain) with the session ID. Naturally, the sessions would have to expire after a certain time of inactivity etc. etc. Don't know if this is possible, but I'll keep hunting around...

The URL seems to be http://en.wikipedia.org/wiki/Basic_a...authentication. I'll check that soon, thanks.

Hello,

I work for an International Bank
I m looking for an Apache expert to look at our Reverse Proxy problem
experience of SSO is a must.
It is for a 2-3 weeks mission, it is in Belgium but can also be done remotly.
If you are interested, please contact me on my email address and send me CV + daily rate
Thanks