[lug] Web server authentication issue
Ryan J Nicholson
rjn256 at gmail.com
Tue Aug 28 09:26:26 MDT 2012
Hi Carl,
Putting access directives in the Apache config vs. htaccess in
web-accessible directories is somewhat more secure, and a lot easier
to audit.
I can offer my config to show how to embed access directives into an
Apache config. My setup is very simple: rewrite to HTTPS if the
connection is not using SSL.
This is from Apache 2.2 on Debian stable so be aware of the many path
differences. In addition my AllowOverride setting doesn't include
AuthConfig.
<VirtualHost *:80>
DocumentRoot /var/www
ServerName www.example.com
<Directory />
Options Indexes FollowSymLinks
HeaderName /HEADER.html
ReadmeName /README.html
IndexOptions FancyIndexing SuppressDescription
AllowOverride None
UseCanonicalName On
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www
RewriteRule (.*) http://%{SERVER_NAME}%{REQUEST_URI} [R,L]
</IfModule>
</Directory>
<Directory /var/www/members>
<IfModule !mod_rewrite.c>
SSLRequireSSL
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
</IfModule>
</Directory>
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /var/www
ServerName www.example.com
SSLEngine on
SSLCertificateFile /etc/apache2/apache.pem
<Directory />
Options Indexes FollowSymLinks
HeaderName /HEADER.html
ReadmeName /README.html
IndexOptions FancyIndexing SuppressDescription
AllowOverride None
UseCanonicalName On
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www
RewriteRule (.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
</IfModule>
</Directory>
<Directory /var/www/members>
AuthType Basic
AuthName "Credentials required."
AuthUserFile /etc/apache2/htusers
Require User john
</Directory>
</VirtualHost>
More information about the LUG
mailing list