Force SSL on Apache, with Auth and Canonical redirect
I've read some posts on how to redirect to SSL, also some on how to make sure a site is using the www subdomain / canonical name, and some on how to set up Basic Auth. Here is what I have in my .htaccess file right now:
RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] RewriteEngine on RewriteCond %{HTTP_HOST} !(^www\.site\.com*)$ RewriteRule (.*) https://www.site.com$1 [R=301,L] AuthName "Locked" AuthUserFile "/home/.htpasswd" AuthType Basic require valid-user
It works fairly well, but I'd like to optimize it. My questions include:
- How do I avoid double authentication? When I access the site w.o. SSL I have to authenticate, and 开发者_如何转开发then I am redirected to SSL and have to authenticate again. Can I just be redirected and then authenticated?
It looks like the first rule is pretty awesome because I could use it on any site without modifying it. Can rule #2 be rewritten to be site-independent? ie: it will force www to be used on any site no matter what the domain name is (with a better written rule)?answered hereHow would I do the reverse of number 3 with a rule that would work on any site to force the site not to use www, ie redirect to site.com from www.site.com?answered here
For #1
How to avoid double authentication? Can I just be redirected and then authenticated?
Boom! This works.
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "www.askapache.com"
ErrorDocument 403 https://www.askapache.com/admin/
See:
- http://www.askapache.com/htaccess/apache-ssl-in-htaccess-examples.html
- http://www.askapache.com/htaccess/ssl-example-usage-in-htaccess.html
- http://www.askapache.com/htaccess/htaccess.html
Just put that above block at the top of your .htaccess, here is mine:
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "www.askapache.com"
ErrorDocument 403 https://www.askapache.com/admin/
AuthType Digest
AuthName "Protected By AskApache"
AuthDigestDomain / https://www.askapache.com/admin/
AuthUserFile /home/askapache/.htpasswd-digest
Require valid-user
Satisfy All
If you're using Apache 2.4 you can also avoiding the double authentication using configuration sections.
# Redirect to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
# Authenticate users only when using HTTPS
<If "%{HTTPS} == 'on'">
AuthType Basic
AuthName "Special things"
AuthUserFile /etc/blah.htpasswd
Require valid-user
</If>
I've given a more refined version of this in my answer here.
For #1:
Set the Auth instructions only on the VirtualHost which is listening on *:443
. You should have 2 VirtualHosts, one listening on port 80 and one on port 443. Using AuthType Basic
on non-SSL communication is a big issue, username and password are just base64 encoded, so it's in clear on every requests (even images or css) that are used on your http server!
This is my solution in order to prevent double authentications of previous re-writes like:
RewriteCond %{HTTPS} ^off$ [NC]
RewriteCond %{REQUEST_URI} /administrator/*
RewriteRule ^(.*)$ https://%{SERVER_NAME}/$1 [R,L]
<If "%{HTTPS} == 'on'">
AuthType Basic
AuthName "Authorization Required"
AuthUserFile /var/www/vHost/etc/HTTP-Basic-Auth/htaccess-Users
AuthGroupFile /var/www/vHost/etc/HTTP-Basic-Auth/htaccess-Groups
#require valid-user
require group Webmins
</If>
<Else>
ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
</Else>
Even though I don't the condition is really required - its more there as an additional security fallback if the Rewrite won't work for some reason.
Thanks for the replied above, it help to create the combined https and www solution. My only concern is if there are certain conditions whereby the auth is not triggered allowing someone access without the credentials. I'm not sure there are, but maybe you bright people may say otherwise.
This code redirects non-www to www and http to https, with .htaccess folder auth.
This is the contents of the htaccess file in the directory you want to protect:
RewriteEngine on
# ensure www.
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/foldername/$1 [L,R=301]
# ensure https
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}/foldername/$1 [L,R=301]
# Apache 2.4 If
<If "%{HTTPS} == 'on' && %{HTTP_HOST} =~ /www/">
AuthType Basic
AuthName "Protected folder"
AuthUserFile "/home/etc/.htpasswds/public_html/foldername/passwd"
require valid-user
</If>
精彩评论