0

I have an apache site protected by HTTP basic authentication. The authentication is working fine. Now I would like to bypass authentication for users that are coming from a particular website by relying on the HTTP Referer header.

Here is the configuration:

    SetEnvIf Referer "^http://.*.example\.org" coming_from_example_org
    <Directory /var/www/>
            Options Indexes FollowSymLinks MultiViews
            AllowOverride None
            Deny from all
            Allow from env=coming_from_example_org
            AuthName "login required"
            AuthUserFile /opt/http_basic_usernames_and_passwords
            AuthType Basic
            Require valid-user
            Satisfy Any
    </Directory>

This is working fine for HTTP, but failing for HTTPS. My understanding is that in order to inspect the HTTP headers, the SSL handshake must be completed, but apache wants to inspect the <Directory> directives before doing the SSL handshake, even if I place them at the bottom of the configuration file.

Q: How could I workaround this issue?

PS: I'm not obsessed with the HTTP referer header, I could use other options that would allow users from a known website to bypass authantication.

Max
  • 3,523
  • 16
  • 53
  • 71
  • look at this may be help you fix the issues http://serverfault.com/questions/86401/apache-allow-local-connections-to-bypass-basic-authentication – neolix Mar 19 '12 at 09:13

2 Answers2

2

You'll probably want to improve your authentication mechanism quite a bit; given that the referer header is controlled by the client, I'd expect that it'll take someone about 18 seconds to work out what you're doing and bypass it.

The mechanism I would use would probably involve setting a cookie for your site that indicates that the user is "pre-authenticated". Then you could test for the presence (and cryptographically valid) contents of that cookie in your apache config, and allow access that way.

womble
  • 96,255
  • 29
  • 175
  • 230
  • @wombie: cookies are part of the `HTTP` headers, so in order to use your solution `HTTP` headers must be inspected before apache makes a decision on the `HTTP` basic authentication which it doesn't seem to be doing when using `HTTPS`. Therefore my question stands. – Max Mar 19 '12 at 10:41
  • HTTP Basic auth is also part of the HTTP headers, therefore your theory is bunk. – womble Mar 19 '12 at 11:11
  • it may be, but I know I can make this work with `HTTP` and not `HTTPS` so I still think it's related to the way `Apache` handles basic authentication vs `SSL` handshake. – Max Mar 20 '12 at 10:47
0

I suggest you to use an authorization script

ie. mod_python http://modpython.org/live/current/doc-html/dir-handlers-auh.html

you can probably use something like this:

def authenhandler(req):
    if req.headers_in.get("referer") == 'yourhostname':
        return apache.OK
    pw = req.get_basic_auth_pw()
    user = req.user     
    if user == "spam" and pw == "eggs":
        return apache.OK
    else:
        return apache.HTTP_UNAUTHORIZED

the mod_perl can handle scriptable authentication and probably other languages too

moul
  • 575
  • 1
  • 4
  • 11