[lug] Questions about Apache, .htaccess, and Basic Authorization

Ike Arumba ike.arumba at charter.net
Sun Dec 19 08:37:55 MST 2010 

Hi All,

Hope this is appropriate for BLUG, and my apologies if not. I have a lot 
of faith in the expertise of this group, and I havent been able to find 
the answer by grubbing around myself.

For years, I have added some extra protection to admin entry to a web 
page by inserting a .htaccess file in the directory containing the php 
and html for the admin page.

The file contained the following contents

RewriteEngine On
RewriteCond %{SERVER_PORT} !443
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
#
AuthUserFile /home/xxx/htpasswd_file
AuthGroupFile /dev/null
AuthName "Admin page (password required)"
AuthType Basic
#
<Limit GET>
require user YYY
</Limit>

Where xxx was a directory accessible to the user running apache, but not 
inside the directory structure available to be served to the outside 
world, and YYY was an unusual username.  The intent was to first force a 
redirect to https, and then display and prompt for a username and 
password.

I operated under the assumption that if I did it this way,
1) the exchange of username and password between server and client was 
encrypted
2) all following exchanges would use https and also be encrypted.

Now I am not so sure that assumption 1 is true. I know that basic 
authorization would not be encrypted if I left out the Rewrite rules and 
used http.
I also do know that assumption 2 is true. With the rewrite rule in 
place, the htaccess file makes sure that the communication for the admin 
page uses https.

What I am not sure about is whether the exchange of username and 
password takes place before or after the switch from http to https, or 
even whether it matters?

I also dont know whether it would make a difference if I entered the 
site originally by directing the browser to use https, rather than 
forcing the rewrite.

How can I tell, short of running a packet sniffer? (which I have never 
done, and have little confidence I would understand)

I know that the username and password would be encrypted and safer if I 
used digest authorization, rather than basic, but I dont think that is 
available to me.

Thanks for any help or advice you can give.

Ike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20101219/a8f6d78a/attachment.html>

More information about the LUG mailing list