On Thu, Nov 26, 1998, T. Freeland wrote:
> Our admittedly not very good way around this (and hopefully someone will
> show a much nicer way after I post this) is:
>
> We add the following Rewrite rules to a .htaccess file ...
>
> RewriteEngine On
> RewriteCond %{SERVER_PORT} 80
> RewriteRule ^/var/htdocs/(.*) https://www.deakin.edu.au/$1
In .htaccess? Sorry that I say this, but this cannot be because then the regex
would never match, I think. In per-dir context of a .htaccess file there are
no absolute paths like /var/htdocs/ for the RewriteRule. Perhaps you've picked
the wrong ruleset of your config file... But in per-server context you can use
this and there it should work fine (and faster). But I would write it as:
RewriteEngine on
RewriteCond %{SERVER_PORT} =80
RewriteRule ^/subareas1/(.*) https://%{SERVER_NAME}/subarea1/$1 [R,L]
RewriteCond %{SERVER_PORT} =80
RewriteRule ^/subareas2/(.*) https://%{SERVER_NAME}/subarea2/$1 [R,L]
or even less redundant and flexible with a rewriting map (containing all URLs
which should be redirected to the HTTPS port):
# https.map:
# complete URLs which should be redirected to HTTPS
/subarea1/
/subarea2/mystuff.cgi
/subarea3/securepage.html
# httpd.conf:
# redirect all URLs in https.map to HTTPS port
# when running on HTTP port.
RewriteEngine on
RewriteMap https-map txt:/path/to/https.map
RewriteCond %{SERVER_PORT} =80
RewriteCond ${https-map:$1|do-not-map} !=do-not-map
RewriteRule ^(/.*)$ https://%{SERVER_NAME}/${https-map:$1} [R,L]
> However.. when this is combined with authentication we run up against the
> problem of people having to authenticate twice.. once in clear text and then
> once in encrypted form... which is just not good enough for our requirements.
> I know we can get around this using mod_perl but that is not acceptable for
> our situation unfortunately where people who add .htaccess files do not have
> access to editing the server's configuration.
The double auth is because you redirect from the per-dir context which is
processed _after_ the auth stuff in Apache. When you use my approach from
above (which runs in the per-server context) you don't have this problem.
> Can you do something like.. #ifdef SSL to make the Auth sections of your
> .htaccess only apply when the secure server reads the file?
> ie..
>
> RewriteEngine On
> RewriteCond %{SERVER_PORT} 80
> RewriteRule ^/var/htdocs/(.*) https://www.deakin.edu.au/$1
> #ifdef SSL
> AuthType Basic
> AuthName "ITS ONLY"
> AuthDBMUserFile /var/htinfo/auth_dbm/All_Users.db
> AuthDBMGroupFile /var/htinfo/auth_dbm/Staff_Groups.db
> require group IT
> require valid-user
> #endif
>
> Thoughts?
>
> If this functionality is not available perhaps it should be considered for
> implementation?
Great idea. Hmmm... currently such a functionality is not provided by Apache
or Apache+mod_ssl. Nevertheless a very interesting idea. Although I would say
it should be something like
<SSLRequire expression>
...
</SSLRequire>
and where expression is an arbitrary boolean expression as already implemented
by the existing SSLRequire. This way you can conditionally enable Apache
commands in the most flexible way. You example above would then be:
<SSLRequire %{HTTPS} eq 'on'>
...
</SSLRequire>
Sure, the name "<SSLRequire>" should be "<Require>" but it's better to follow
the clean SSLxxx terminology of directives (they all have the SSL prefix).
Hmm... very interesting idea and useful stuff. I think it should go in the
README.Wishes document of mod_ssl. What's the opinion of others?
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
