[lug] Questions about Apache, .htaccess, and Basic Authorization
Rob Nagler
nagler at bivio.biz
Sun Dec 19 11:26:02 MST 2010
On Sun, Dec 19, 2010 at 8:37 AM, Ike Arumba wrote:
> 1) the exchange of username and password between server and client was
> encrypted
You should be able to see this in your log files. Do you keep a
separate ssl_log? This is the default in apache.
> 2) all following exchanges would use https and also be encrypted.
Once a browser goes to SSL, it will stay in SSL unless you generate links like:
<a href="http://foo.com/bla">Click here</a>
The user could edit the URL, but that's the user's issue.
> What I am not sure about is whether the exchange of username and password
> takes place before or after the switch from http to https, or even whether
> it matters?
Alas, I doubt it matters. Even with digest auth, the digest can be
cracked in seconds with modern computers. It's more of a "feel good"
thing that passwords are not sent in the clear.
I would recommend something like this:
<VirtualHost *>
ServerName foo.com
RedirectPermanent / https://www.foo.com
</VirtualHost>
and then have an virtual host with your Auth config
<VirtualHost foo.com:443>
<Location />
SSLRequireSSL
SSLOptions +StrictRequire
AuthType Basic
....
</Location>
....
You don't have an "auth" anything in the port 80 VirtualHost so that
the server doesn't request auth from the user via a clear-text
connection.
Rob
More information about the LUG
mailing list