Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: .htaccess reidrect + https |
|
| Author |
|
lwsimon
Joined: 05 Jul 2007
Posts: 4
|
 Posted: Fri 06 Jul '07 18:01 Post subject: .htaccess reidrect + https |
 |
|
OK, I've been bashing my head against this for some time now, and I need some help. I have a folder that I'm trying to keep secure (several folders, actually, all named either "secure" or "secure_(.*)), and I've got that set up fine. I'm trying to be able to link into that folder using relative links (e.g. /foo/bar.htm instead of www.hostname.com/foo/bar.htm). I have a .htaccess file at the root of the domain with the following settings:
| Code: | RewriteEngine on
RewriteCond %{HTTPS} =on
RewriteCond %{REQUEST_URI} !=^.*secure.*$
RewriteRule ^(.*)$ http://%{SERVER_NAME}%{REQUEST_URI}
|
Then, in the secure folder, I have the following:
| Code: | RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
AuthType Basic
AuthName " "
AuthUserFile /var/www/Security/passwords
Require user HR
|
This works like a charm, forcing http: outside the secure folder, and forcing https: inside, but it makes me log in twice (presumably due to the http->https redirect). Is there a way to force https: inside that folder, without requiring the user to login twice?[/code] |
|
| Back to top |
|
tdonovan
Moderator
Joined: 17 Dec 2005
Posts: 611
Location: Milford, MA, USA
|
| Posted: Fri 06 Jul '07 22:31 Post subject: |
|
|
You could try moving all your Auth* and Require directives to a a <Directory> or <LocationMatch> container inside your SSL <VirtualHost> in httpd.conf.
You should leave all the Rewrite* directives where they are.
EDIT: Maybe you are restricted to doing it in .htaccess files.
If so, maybe this will work in the secure folder's .htaccess (I'm not sure, I haven't tried it) | Code: | Deny from env=HTTPS
Satisfy Any |
-tom- |
|
| Back to top |
|
lwsimon
Joined: 05 Jul 2007
Posts: 4
|
| Posted: Fri 06 Jul '07 23:03 Post subject: |
|
|
I can't move the Auth* directives, unfortunately, because each folder requires a different user. I also do not have direct access to the httpd.conf file, although I can run down to IT and have them modify it when I need to. Doign that every time I need to add a folder is not an option.
I plan to move everything in the root .htaccess to the httpd.conf file once I have things set up how I need them, for performance's sake.
I've done some more digging, and this is what I've come up with:
in the root .htaccess
| Code: | RewriteEngine on
RewriteCond %{SERVER_PORT} =443
RewriteCond %{REQUEST_URI} !secure/
RewriteRule ^(.*)$ http://%{SERVER_NAME}/$1 [R=301,L]
RewriteRule ^(.*):https$ https://%{SERVER_NAME}/$1 [R=301,L] |
and in the secure folder
| Code: |
AuthType Basic
AuthName " "
AuthUserFile /var/www/Security/passwords
Require user HR |
This works perfectly, assuming I use absolute URLs to link to the secure content - e.g. https://servername/path. If I try to redirect based on a relative link (/securefolder/filename:flag), I get the double-login problem again.
So far, this is the best solution I've found, unfortunately.
Edit: The two lines posted above fixed it! I've no idea how at this point, but it works!
I will be spending much more time here from home, I've been told they don't pay me to post on a message board from work  |
|
| Back to top |
|
lwsimon
Joined: 05 Jul 2007
Posts: 4
|
| Posted: Fri 06 Jul '07 23:09 Post subject: |
|
|
| I jumped the gun. Now it doesn't require a user/pass combo, jsut lets you right in, as https://... |
|
| Back to top |
|
lwsimon
Joined: 05 Jul 2007
Posts: 4
|
| Posted: Wed 18 Jul '07 21:22 Post subject: |
|
|
| Code: | RewriteEngine on
RewriteCond %{SERVER_PORT} =443
RewriteCond %{REQUEST_URI} !secure/
RewriteCond %{REQUEST_URI} \.htm
RewriteRule ^(.*)$ http://%{SERVER_NAME}/$1 [R=301,L]
RewriteRule ^(.*):https$ https://%{SERVER_NAME}/$1 [R=301,L] |
| Code: | AuthType Basic
AuthName "Authorization Required"
AuthUserFile /var/www/Security/passwords
Require user HR
SSLRequireSSL
Satisfy Any
|
This works as needed. Thanks for all the help! |
|
| Back to top |
|
|
|
|
|
|
