All geek questions in one place

Secure SSL on Apache using Auth and Canonical Redirection

I read a few posts on how to redirect to SSL, as well as some on how to make sure the site uses www subdomain / canonical name, and some on how to configure Basic Auth. Here is what I have in my .htaccess file right now:

  Rewriteengine on
 RewriteCond% {HTTPS}! = On
 RewriteRule ^ https: //% {HTTP_HOST}% {REQUEST_URI} [L, R = 301]


 Rewriteengine on
 RewriteCond% {HTTP_HOST}! (^ Www \ .site \ .com *) $
 RewriteRule (. *) Https: //www.site.com$1 [R = 301, L]


 AuthName "Locked"
 AuthUserFile "/home/.htpasswd"
 AuthType Basic
 require valid-user

It works quite well, but I would like to optimize it. My questions include:

  • How to avoid double authentication? When I access the wo SSL site I have to go through authentication and then redirected to SSL and go through authentication again. Can I be redirected and then authenticated?
  • It seems that the first rule is pretty awesome, because I can use it on any site without changing it. Can rule No. 2 be rewritten as independent of the site? i.e.: it will force www to be used on any site, regardless of what a domain name is (with the best written rule)? answered here
  • How can I do the reverse number 3 with a rule that will work on any site to make the site not use WWW, that is, redirect to .com from www.site.com? answered here
+4
source share
5 answers

For # 1:

Install Auth commands only on VirtualHost, which listens on *:443 . You should have 2 VirtualHosts, one of which listens on port 80 and one on port 443. Using AuthType Basic for non-SSL communication is a big problem, the username and password are encoded only base64, so clear for any requests (even images or css) that are used on your http server!

+2
source

For # 1

How to avoid double authentication? Can I just be redirected and then authenticated?

Boom! It works.

 SSLOptions +StrictRequire SSLRequireSSL SSLRequire %{HTTP_HOST} eq "www.askapache.com" ErrorDocument 403 https://www.askapache.com/admin/

Cm:

Just put this above block at the top of your .htaccess, here is mine:

 SSLOptions +StrictRequire SSLRequireSSL SSLRequire %{HTTP_HOST} eq "www.askapache.com" ErrorDocument 403 https://www.askapache.com/admin/ AuthType Digest AuthName "Protected By AskApache" AuthDigestDomain / https://www.askapache.com/admin/ AuthUserFile /home/askapache/.htpasswd-digest Require valid-user Satisfy All
+5
source

If you are using Apache 2.4, you can also avoid double authentication using the configuration sections .

 # Redirect to HTTPS RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L] # Authenticate users only when using HTTPS <If "%{HTTPS} == 'on'"> AuthType Basic AuthName "Special things" AuthUserFile /etc/blah.htpasswd Require valid-user </If>

I gave a more subtle version of this in my answer here .

+2
source

This is my solution to prevent double authentication of previous re-entries like:

 RewriteCond %{HTTPS} ^off$ [NC] RewriteCond %{REQUEST_URI} /administrator/* RewriteRule ^(.*)$ https://%{SERVER_NAME}/$1 [R,L] <If "%{HTTPS} == 'on'"> AuthType Basic AuthName "Authorization Required" AuthUserFile /var/www/vHost/etc/HTTP-Basic-Auth/htaccess-Users AuthGroupFile /var/www/vHost/etc/HTTP-Basic-Auth/htaccess-Groups #require valid-user require group Webmins </If> <Else> ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var </Else>

Despite the fact that I really do not need the condition, it can be found more as an additional protection if Rewrite will not work for any reason.

+1
source

Thanks for the answer above, it will help create a unified solution https and www. My only problem is that there are certain conditions under which auth does not start, allowing someone to access without credentials. Iā€™m not sure what it is, but maybe you, bright people, can say otherwise.

This code redirects non-www to www and http to https, with .htaccess auth.

This is the contents of the htaccess file in the directory that you want to protect:

 RewriteEngine on # ensure www. RewriteCond %{HTTP_HOST} !^www\. [NC] RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/foldername/$1 [L,R=301] # ensure https RewriteCond %{HTTP:X-Forwarded-Proto} !https RewriteCond %{HTTPS} !=on [NC] RewriteRule ^(.*)$ https://%{HTTP_HOST}/foldername/$1 [L,R=301] # Apache 2.4 If <If "%{HTTPS} == 'on' && %{HTTP_HOST} =~ /www/"> AuthType Basic AuthName "Protected folder" AuthUserFile "/home/etc/.htpasswds/public_html/foldername/passwd" require valid-user </If>
0
source

Source: https://habr.com/ru/post/1336556/

More articles:


All Articles