logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: .htaccess reidrect + https
Author
lwsimon



Joined: 05 Jul 2007
Posts: 4

PostPosted: Fri 06 Jul '07 18:01    Post subject: .htaccess reidrect + https Reply with quote

OK, I've been bashing my head against this for some time now, and I need some help. I have a folder that I'm trying to keep secure (several folders, actually, all named either "secure" or "secure_(.*)), and I've got that set up fine. I'm trying to be able to link into that folder using relative links (e.g. /foo/bar.htm instead of www.hostname.com/foo/bar.htm). I have a .htaccess file at the root of the domain with the following settings:

Code:
RewriteEngine on
RewriteCond %{HTTPS} =on
RewriteCond %{REQUEST_URI} !=^.*secure.*$
RewriteRule ^(.*)$ http://%{SERVER_NAME}%{REQUEST_URI}


Then, in the secure folder, I have the following:
Code:
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
AuthType Basic
AuthName " "
AuthUserFile /var/www/Security/passwords
Require user HR


This works like a charm, forcing http: outside the secure folder, and forcing https: inside, but it makes me log in twice (presumably due to the http->https redirect). Is there a way to force https: inside that folder, without requiring the user to login twice?[/code]
Back to top
tdonovan
Moderator


Joined: 17 Dec 2005
Posts: 611
Location: Milford, MA, USA

PostPosted: Fri 06 Jul '07 22:31    Post subject: Reply with quote

You could try moving all your Auth* and Require directives to a a <Directory> or <LocationMatch> container inside your SSL <VirtualHost> in httpd.conf.

You should leave all the Rewrite* directives where they are.


EDIT: Maybe you are restricted to doing it in .htaccess files.
If so, maybe this will work in the secure folder's .htaccess (I'm not sure, I haven't tried it)
Code:
Deny from env=HTTPS
Satisfy Any



-tom-
Back to top
lwsimon



Joined: 05 Jul 2007
Posts: 4

PostPosted: Fri 06 Jul '07 23:03    Post subject: Reply with quote

I can't move the Auth* directives, unfortunately, because each folder requires a different user. I also do not have direct access to the httpd.conf file, although I can run down to IT and have them modify it when I need to. Doign that every time I need to add a folder is not an option.

I plan to move everything in the root .htaccess to the httpd.conf file once I have things set up how I need them, for performance's sake.

I've done some more digging, and this is what I've come up with:

in the root .htaccess
Code:
RewriteEngine on
RewriteCond %{SERVER_PORT} =443
RewriteCond %{REQUEST_URI} !secure/
RewriteRule ^(.*)$ http://%{SERVER_NAME}/$1 [R=301,L]
RewriteRule ^(.*):https$   https://%{SERVER_NAME}/$1 [R=301,L]

and in the secure folder
Code:

AuthType Basic
AuthName " "
AuthUserFile /var/www/Security/passwords
Require user HR

This works perfectly, assuming I use absolute URLs to link to the secure content - e.g. https://servername/path. If I try to redirect based on a relative link (/securefolder/filename:flag), I get the double-login problem again.

So far, this is the best solution I've found, unfortunately.

Edit: The two lines posted above fixed it! I've no idea how at this point, but it works!

I will be spending much more time here from home, I've been told they don't pay me to post on a message board from work Smile
Back to top
lwsimon



Joined: 05 Jul 2007
Posts: 4

PostPosted: Fri 06 Jul '07 23:09    Post subject: Reply with quote

I jumped the gun. Now it doesn't require a user/pass combo, jsut lets you right in, as https://...
Back to top
lwsimon



Joined: 05 Jul 2007
Posts: 4

PostPosted: Wed 18 Jul '07 21:22    Post subject: Reply with quote

Code:
RewriteEngine on
RewriteCond %{SERVER_PORT} =443
RewriteCond %{REQUEST_URI} !secure/
RewriteCond %{REQUEST_URI} \.htm
RewriteRule ^(.*)$ http://%{SERVER_NAME}/$1 [R=301,L]
RewriteRule ^(.*):https$   https://%{SERVER_NAME}/$1 [R=301,L]


Code:
AuthType Basic
AuthName "Authorization Required"
AuthUserFile /var/www/Security/passwords
Require user HR
SSLRequireSSL
Satisfy Any


This works as needed. Thanks for all the help!
Back to top


Reply to topic   Topic: .htaccess reidrect + https View previous topic :: View next topic
Post new topic   Forum Index -> Apache