开发者

Force SSL on Apache, with Auth and Canonical redirect

开发者 https://www.devze.com 2023-02-05 22:15 出处:网络
I\'ve read some posts on how to redirect to SSL, also some on how to make sure a site is using the www subdomain / canonical name, and some on how to set up Basic Auth. Here is what I have in my .htac

I've read some posts on how to redirect to SSL, also some on how to make sure a site is using the www subdomain / canonical name, and some on how to set up Basic Auth. Here is what I have in my .htaccess file right now:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]


RewriteEngine on
RewriteCond %{HTTP_HOST} !(^www\.site\.com*)$
RewriteRule (.*) https://www.site.com$1 [R=301,L]


AuthName "Locked"
AuthUserFile "/home/.htpasswd"
AuthType Basic
require valid-user

It works fairly well, but I'd like to optimize it. My questions include:

  1. How do I avoid double authentication? When I access the site w.o. SSL I have to authenticate, and 开发者_如何转开发then I am redirected to SSL and have to authenticate again. Can I just be redirected and then authenticated?
  2. It looks like the first rule is pretty awesome because I could use it on any site without modifying it. Can rule #2 be rewritten to be site-independent? ie: it will force www to be used on any site no matter what the domain name is (with a better written rule)? answered here
  3. How would I do the reverse of number 3 with a rule that would work on any site to force the site not to use www, ie redirect to site.com from www.site.com? answered here


For #1

How to avoid double authentication? Can I just be redirected and then authenticated?

Boom! This works.

SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "www.askapache.com"
ErrorDocument 403 https://www.askapache.com/admin/

See:

  • http://www.askapache.com/htaccess/apache-ssl-in-htaccess-examples.html
  • http://www.askapache.com/htaccess/ssl-example-usage-in-htaccess.html
  • http://www.askapache.com/htaccess/htaccess.html

Just put that above block at the top of your .htaccess, here is mine:

SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "www.askapache.com"
ErrorDocument 403 https://www.askapache.com/admin/

AuthType Digest
AuthName "Protected By AskApache"
AuthDigestDomain / https://www.askapache.com/admin/
AuthUserFile /home/askapache/.htpasswd-digest
Require valid-user
Satisfy All


If you're using Apache 2.4 you can also avoiding the double authentication using configuration sections.

# Redirect to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

# Authenticate users only when using HTTPS
<If "%{HTTPS} == 'on'">
    AuthType Basic
    AuthName "Special things"
    AuthUserFile /etc/blah.htpasswd
    Require valid-user
</If>

I've given a more refined version of this in my answer here.


For #1:

Set the Auth instructions only on the VirtualHost which is listening on *:443. You should have 2 VirtualHosts, one listening on port 80 and one on port 443. Using AuthType Basic on non-SSL communication is a big issue, username and password are just base64 encoded, so it's in clear on every requests (even images or css) that are used on your http server!


This is my solution in order to prevent double authentications of previous re-writes like:

RewriteCond %{HTTPS} ^off$ [NC]
RewriteCond %{REQUEST_URI} /administrator/*
RewriteRule ^(.*)$ https://%{SERVER_NAME}/$1 [R,L]


<If "%{HTTPS} == 'on'">
  AuthType       Basic
  AuthName      "Authorization Required"
  AuthUserFile   /var/www/vHost/etc/HTTP-Basic-Auth/htaccess-Users
  AuthGroupFile  /var/www/vHost/etc/HTTP-Basic-Auth/htaccess-Groups
  #require       valid-user
  require        group Webmins
</If>

<Else>
  ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
</Else>

Even though I don't the condition is really required - its more there as an additional security fallback if the Rewrite won't work for some reason.


Thanks for the replied above, it help to create the combined https and www solution. My only concern is if there are certain conditions whereby the auth is not triggered allowing someone access without the credentials. I'm not sure there are, but maybe you bright people may say otherwise.

This code redirects non-www to www and http to https, with .htaccess folder auth.

This is the contents of the htaccess file in the directory you want to protect:

RewriteEngine on
# ensure www.
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/foldername/$1 [L,R=301]
# ensure https
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}/foldername/$1 [L,R=301]

# Apache 2.4 If
<If "%{HTTPS} == 'on' && %{HTTP_HOST} =~ /www/">
AuthType Basic
AuthName "Protected folder"
AuthUserFile "/home/etc/.htpasswds/public_html/foldername/passwd"
require valid-user
</If>
0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号