[lug] Questions about Apache, .htaccess, and Basic Authorization

Ike Arumba ike.arumba at charter.net
Sun Dec 19 12:19:34 MST 2010 

Hi Rob,

Thank you for answering. I hesitate to display my ignorance online, so 
if you dont mind I will write to you directly.

I dont have access to the ssl_log on the server that I am currently 
using. It is on a webhosting service and the domain is jailed. I also 
wont have access to a virtual host (at least I think I wont). And I 
cannot control apach through the httpd.conf file or something like that. 
So I wanted to do it through .htaccess.

Nevertheless I learned from your example, and then went out and grepped 
around a bit more. One solution I found here
  http://www.askapache.com/htaccess/apache-ssl-in-htaccess-examples.html
suggest these settings, under the title " Fixing double-login problem 
and making sure authorization usernames/passwords are not sent in 
cleartext unencrypted."

SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "google.com"
ErrorDocument 403 https://google.com

And a more complete one is here
 
http://www.htaccesselite.com/htaccess/force-https-and-no-double-login-vt30.html

which suggests

SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "domaincom.secure.powweb.com"
AuthUserFile /www/d/domain/.htpasswd
AuthName "Private"
AuthType basic
require user admin56
ErrorDocument 403 https://domaincom.secure.powweb.com/private/index.php


I kind of like the one above. It means I can  restrict the domain of 
people entering, and it forces one to enter with SSL. I think these are 
better than what I was using.

Thanks

Ike


On Sun, Dec 19, 2010 at 10:26 AM, Rob Nagler wrote:

> On Sun, Dec 19, 2010 at 8:37 AM, Ike Arumba wrote:
>> 1) the exchange of username and password between server and client 
>> was
>> encrypted
>
> You should be able to see this in your log files.  Do you keep a
> separate ssl_log? This is the default in apache.
>
>> 2) all following exchanges would use https and also be encrypted.
>
> Once a browser goes to SSL, it will stay in SSL unless you generate 
> links like:
>
> <a href="http://foo.com/bla">Click here</a>
>
> The user could edit the URL, but that's the user's issue.
>
>> What I am not sure about is whether the exchange of username and 
>> password
>> takes place before or after the switch from http to https, or even 
>> whether
>> it matters?
>
> Alas, I doubt it matters.  Even with digest auth, the digest can be
> cracked in seconds with modern computers.  It's more of a "feel good"
> thing that passwords are not sent in the clear.
>
> I would recommend something like this:
>
> <VirtualHost *>
>     ServerName foo.com
>     RedirectPermanent / https://www.foo.com
> </VirtualHost>
>
> and then have an virtual host with your Auth config
>
> <VirtualHost foo.com:443>
>     <Location />
>         SSLRequireSSL
>         SSLOptions +StrictRequire
>         AuthType Basic
>         ....
>     </Location>
> ....
>
> You don't have an "auth" anything in the port 80 VirtualHost so that
> the server doesn't request auth from the user via a clear-text
> connection.
>
> Rob
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 
> channel=#hackingsociety

More information about the LUG mailing list