0

Using Apache 2.2, I would like to use mod_rewrite to redirect un-authenticated users to use https, if they are on http.. Is there a directive or condition one can test for whether a user is (not) authenticated?

For example, I could have set up the restricted /foo location on my server:-

<Location "/foo/">
    Order deny,allow
    # Deny everyone, until authenticated...
    Deny from all

    # Authentication mechanism
    AuthType Basic
    AuthName "Members only"
    # AuthBasicProvider ...
    # ... Other authentication stuff here.

    # Users must be valid.
    Require valid-user
    # Logged-in users authorised to view child URLs:
    Satisfy any

    # If not SSL, respond with HTTP-redirect
    RewriteCond ${HTTPS} off
    RewriteRule /foo/?(.*)$ https://${SERVER_NAME}/foo/$2 [R=301,L]

    # SSL enforcement.
    SSLOptions FakeBasicAuth StrictRequire
    SSLRequireSSL
    SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
</Location>

The problem here is that every file, in every subfolder, will be encrypted. This is quite unnecessary, but I see no reason to disallow it. What I would like is the RewriteRule to only be triggered during authentication. If a user is already authorised to view a folder, then I don't want the RewriteRule to be triggered. Is this possible?

EDIT:

I am not using any front-end HTML here. This is only using Apache's built-in directory browsing interface and its in-built authentication mechanisms. My <Directory> config is:

<Directory ~ "/foo/">
     Order allow,deny
     Allow from all
     AllowOverride None
     Options +Indexes +FollowSymLinks +Includes +MultiViews
     IndexOptions +FancyIndexing
     IndexOptions +XHTML
     IndexOptions NameWidth=*
     IndexOptions +TrackModified
     IndexOptions +SuppressHTMLPreamble
     IndexOptions +FoldersFirst
     IndexOptions +IgnoreCase
     IndexOptions Type=text/html
</Directory>
Alex Leach
  • 1,697
  • 3
  • 16
  • 18

1 Answers1

0

You seem to be confused how Basic Authentication works. Basic Authentication requires a password lookup for every request e.g. loading a html page with 100 images requires handling of at least 100 authentication requests. Specifically, if SSL/TLS is not used, then the credentials are passed as plaintext and could be intercepted. Enabling https only for a login page makes sense when you use cookie based authentication (e.g. http://finesec.com/sitedefensor.html)

FINESEC
  • 1,371
  • 7
  • 8
  • That would explain the number of authentication requests I have in my logs.. I've set `LogLevel = debug` and am using a departmental LDAP backend. I have no web UI though; this is merely for directory browsing, akin to FTP. I'll add my `` config, but there's no custom HTML or login page involved – Alex Leach Dec 07 '12 at 02:37
  • Aren't Basic auths all in the Headers? And the re-directs too, right? In this instance, I'd like to keep it that way, without having to write any extraneous HTML or CGI scripts... – Alex Leach Dec 07 '12 at 02:50
  • Yes, authorization header is used to pass base64 encoded username and password e.g. Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== (username: alladin, password: open sesame). Directory indexing requires a password lookup for each file in a directory e.g. browsing a directory that has 1000 files requires handling of at least 1000 authentication requests (1000 ldap queries). – FINESEC Dec 07 '12 at 12:56
  • I'd hope the last 999 auth requests would use the LDAP cache, which seems generous enough under [default settings](http://httpd.apache.org/docs/2.2/mod/mod_ldap.html#ldapcacheentries). Still, would be nice if it only needed to authorise a user once per session. Only just seen [mod_session](http://httpd.apache.org/docs/trunk/mod/mod_session.html)... Do you think that could help me out here? – Alex Leach Dec 07 '12 at 13:50
  • Possibly, that's for Apache 2.4 tho. – FINESEC Dec 07 '12 at 14:15