开发者

How to force HTTPS on a directory AND force HTTPS authentication

问答 作者:

I am wondering what the best way to force HTTPS authentication is.

When I have this in my .htaccess file:

AuthType Basic
AuthName "Developer"
AuthUserFile /usr/local/etc/apache22/passwords/passwords
Require user david

Authentication works, but it authenticates over port 80, sending the password in the clear.

So I figured I would add a Redirect Rule to redirect all non-HTTPS requests to equivalent HTTPS requests:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteBase /~david/
RewriteRule ^(.*)$ https://myserver.tld/~david/$1 [R,L]

This also works, but it first authenicates on port 80, then redirects, then authenicates again on port 443. I do NOT want to authenticate on port 80, because the password will be sent in clear text. I have not been able to figure out a good way to redirect immediately to HTTPS, and then authenicate.

The only way I could figure how to do this is by doing this:

AuthType Basic
AuthName "Developer"
AuthUserFile /usr/local/etc/apache22/passwords/passwords
Require user david
ErrorDocument 403 /403.php
SSLRequireSSL

And having a 403.php PHP script on the / of my server:

<?php

header('Location: https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);

?>

This is the desired behavior. It requires SSL, so when you try to access the directory on port 80, it spits out a custom error document, and that document to redirects the page to HTTPS.

Thi开发者_如何学Pythons seems like a kludge. Is there a better way to accomplish this?

So the issue you are having is that your or block right now applies to both the HTTPS and the HTTP case. You need untangle this (well actually - you could also use 'satisfy any' - but that is a bit messy in this case).

An easy to debug/understand approach is to go to a structure like:

<VirtualHost *:80>
   ...
   RewriteRule ^/foo/bar/?(.*)$ https://myserver.tld/foo/bar/$1 [R,L]
   # and to guard against typo's...
   <Directory /foo/bar/>
       deny from all
   </Directory>
</VirtualHost>


<VirtualHost *:443>
   ...
   <Directory /foo/bar/>
       BasicAuth .. etc.
       allow from all
   </Directory>
</VirtualHost>

and take things from there.

Dw.

继续阅读:.htaccess

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9