Do HTTP authentication over HTTPS with URL rewriting.

Question

I am trying to protect the ~/public_html/dev directory using http auth basic, but to make that secure I want to run it over ssl.

The middle section of the below .htaccess file switches to https if the request URI begins with /dev and works.

The last section of the file works as well but does not work properly with the https redirect.

I basically want to be able to type http://www.mattpotts.com/dev/some_sub_dir/ and be redirected to https://www.mattpotts.com/dev/some_sub_dir/ and prompted for the http auth username and password.

What currently happens is if I go to http://www.mattpotts.com/dev/some_sub_dir/ I get prompted for a username and password over port 80, and then immediately get prompted again over port 443. So my credentials are being sent twice, once in the clear, and once encrypted. Making the whole https url rewrite a little pointless.

The reason for doing this is so that I won't be able to accidentally submit my user/pass over http; https will always be used to access the /dev directory.

The .htaccess is in the ~/public_html/dev directory.

# Rewrite Rules for mattpotts.com
RewriteEngine On
RewriteBase /

# force /dev over https
RewriteCond %{HTTPS} !on
RewriteCond %{REQUEST_URI} ^/dev
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

# do auth
AuthType Basic
AuthName "dev"
AuthUserFile /home/firefli/public_html/dev/.htpasswd
Require valid-user

Answer 1

Protecting content with basic authentication will never work securely over HTTP.

Once the user has entered their username and password, it is sent unencrypted for every page view to that site - its not just sent the time the user gets prompted.

You have to treat requests over HTTP as un-authenticated, and do all logged in stuff over HTTPS.

A lot of websites have used HTTPS for the login - using forms and cookies, rather than basic auth - and then go to HTTP afterwards. This means that their 'you are logged in' cookie gets sent unencrypted. Every valuable target has been hacked because of this, and gmail is now switching to full HTTPS and others will follow.

You don't have the same scaling issues that others have had that has kept them away from the computationally more expensive HTTPS. If your homepage supports HTTPS access, use it throughout.

Answer 2

Does it work to put your authentication section in a <Location> or <LocationMatch> tag using the protocol as the term?

Answer 3

You need to make sure that the authentication does only take place when the request is over HTTPS. So try this:

SetEnvIf HTTPS on prompt_auth

<IfDefine prompt_auth>
    AuthType Basic
    AuthName "dev"
    AuthUserFile /home/firefli/public_html/dev/.htpasswd
    Require valid-user
</IfDefine>

But I’m not quite sure if HTTPS is available.

Answer 4

I ran into the same problem and finally found an ugly solution, but it works. Put the rewrite rule in a Directory directive in httpd.conf or one of your conf.d files (i.e., in the "Main" server configuration). Then, put the Auth* and Require lines in a Directory directive inside the <VirtualHost _default_:443> container in ssl.conf (or wherever your SSL VirtualHost is defined).

For me, this means creating a file /etc/httpd/conf.d/test.conf with:

<Directory "/var/www/html/test">
        #
        # force HTTPS
        #
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</Directory>

...and then adding the following inside /etc/httpd/conf.d/ssl.conf just above the </VirtualHost> tag:

<Directory "/var/www/html/test">
        #
        # require authentication
        #
        AuthType Basic
        AuthName "Please Log In"
        AuthUserFile /var/www/auth/passwords
        Require valid-user
</Directory>

Doing this makes Apache apply the RewriteRule to all requests, and the auth requirements only to requests in the 443 VirtualHost.