Welcome to HostingForumz.com!
FAQFAQ      ProfileProfile    Private MessagesPrivate Messages   Log inLog in

Authentication when HTTPS

  
   Web Hosting Problem Solving Community! (Home) -> Apache RSS
Next:  Setting up a Members Webcam Service?  
Author Message
Gertjan Klein

External


Since: Feb 22, 2006
Posts: 3



(Msg. 1) Posted: Wed Feb 22, 2006 6:55 am
Post subject: Authentication when HTTPS
Archived from groups: alt>apache>configuration (more info?)
Apache/1.3.26 with mod_ssl

Is there a way to tell Apache to use (basic) athentication *only* when
an HTTPS connection is made? I would like to have different behaviour of
my site when a known user logs in over HTTPS, but don't want a login
dialog when a normal HTTP connection is made.

The pages are generated with PHP, and I can check for the environment
variable HTTPS=on from within PHP. However, I would like Apache to take
care of authentication.

I have searched the Apache docs but could not find anything that seemed
appropriate.

Regards,
Gertjan.
--
Gertjan Klein <gklein DeleteThis @xs4all.nl>

 >> Stay informed about: Authentication when HTTPS 
Back to top
Login to vote
Robert Ionescu

External


Since: Jan 19, 2006
Posts: 142



(Msg. 2) Posted: Wed Feb 22, 2006 7:55 am
Post subject: Re: Authentication when HTTPS [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Gertjan Klein wrote:
> Apache/1.3.26 with mod_ssl
>
> Is there a way to tell Apache to use (basic) athentication *only* when
> an HTTPS connection is made?

This should be spoosible, if you're placing the authentication
directives inside of a <directory /path/to/protect> within your
<virtualhost ...:443> section.

i.e.

<virtualhost IP:443>

<Directory /some/path>
AuthName ...
.....
</Directory >
</virtualhost>

--
Robert

 >> Stay informed about: Authentication when HTTPS 
Back to top
Login to vote
Gertjan Klein

External


Since: Feb 22, 2006
Posts: 3



(Msg. 3) Posted: Wed Feb 22, 2006 7:55 am
Post subject: Re: Authentication when HTTPS [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Robert Ionescu wrote:

>Gertjan Klein wrote:
>>
>> Is there a way to tell Apache to use (basic) athentication *only* when
>> an HTTPS connection is made?
>
>This should be spoosible, if you're placing the authentication
>directives inside of a <directory /path/to/protect> within your
><virtualhost ...:443> section.

Excellent, that works. Thanks very much. One additional question: my
VirtualHost ...:443 section is in a global configuration file. I have
altered this file for the site I want to protect, and that works fine.
However, I would prefer it if I could protect this particular directory
from an .htaccess file. Multiple VirtualHost declarations are apparently
not merged (Apache tells me that the first one takes precedence). Is
there a way to have this configuration in an .htaccess file? (If not,
I'll live with it, no problem Wink.

Thanks again,
Gertjan.
--
Gertjan Klein <gklein.DeleteThis@xs4all.nl>
 >> Stay informed about: Authentication when HTTPS 
Back to top
Login to vote
Robert Ionescu

External


Since: Jan 19, 2006
Posts: 142



(Msg. 4) Posted: Wed Feb 22, 2006 8:55 am
Post subject: Re: Authentication when HTTPS [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Gertjan Klein wrote:
> Robert Ionescu wrote:
>
>> Gertjan Klein wrote:
>>> Is there a way to tell Apache to use (basic) athentication *only* when
>>> an HTTPS connection is made?
>> This should be spoosible, if you're placing the authentication
>> directives inside of a <directory /path/to/protect> within your
>> <virtualhost ...:443> section.
[...]
> However, I would prefer it if I could protect this particular directory
> from an .htaccess file.

The .htaccess file is read by each request, regardless if you're
requesting the site via the http or https protocol. But you can't define
a conditional statement like
"only https" -> require valid-user

This is not possible. Even if the require directive would support a
second argument "env=env-variable" like the allow/deny directive does,
the problem would be to set some ENV. This could be done with
mod_rewrite and a condition which checks for https, but authorization
comes before mod_rewrite acts in per-dir context (.htaccess files).

If you need the protection for some more virtualhosts, try to place it
into a separate file and include it in each <virtualhost ...>.

--
Robert
 >> Stay informed about: Authentication when HTTPS 
Back to top
Login to vote
Gertjan Klein

External


Since: Feb 22, 2006
Posts: 3



(Msg. 5) Posted: Wed Feb 22, 2006 9:55 am
Post subject: Re: Authentication when HTTPS [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Robert Ionescu wrote:

>Gertjan Klein wrote:
>> However, I would prefer it if I could protect this particular directory
>> from an .htaccess file.
>
>The .htaccess file is read by each request, regardless if you're
>requesting the site via the http or https protocol. But you can't define
>a conditional statement like
>"only https" -> require valid-user

OK, thanks for the explanation. I currently have only one site where I
would like to do such a thing; if in the future I want to do this for
other sites as well I'll follow your suggestion to place these
definitions in an include file.

Thanks again for your help, regards,
Gertjan.
--
Gertjan Klein <gklein DeleteThis @xs4all.nl>
 >> Stay informed about: Authentication when HTTPS 
Back to top
Login to vote
Display posts from previous:   
   Web Hosting Problem Solving Community! (Home) -> Apache All times are: Pacific Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



[ Contact us | Terms of Service/Privacy Policy ]