|
Home > Archive > Apache Server configuration support > February 2006 > Authentication when HTTPS
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Authentication when HTTPS
|
|
| Gertjan Klein 2006-02-22, 7:50 am |
| Apache/1.3.26 with mod_ssl
Is there a way to tell Apache to use (basic) athentication *only* when
an HTTPS connection is made? I would like to have different behaviour of
my site when a known user logs in over HTTPS, but don't want a login
dialog when a normal HTTP connection is made.
The pages are generated with PHP, and I can check for the environment
variable HTTPS=on from within PHP. However, I would like Apache to take
care of authentication.
I have searched the Apache docs but could not find anything that seemed
appropriate.
Regards,
Gertjan.
--
Gertjan Klein <gklein@xs4all.nl>
| |
| Robert Ionescu 2006-02-22, 7:50 am |
| Gertjan Klein wrote:
> Apache/1.3.26 with mod_ssl
>
> Is there a way to tell Apache to use (basic) athentication *only* when
> an HTTPS connection is made?
This should be spoosible, if you're placing the authentication
directives inside of a <directory /path/to/protect> within your
<virtualhost ...:443> section.
i.e.
<virtualhost IP:443>
<Directory /some/path>
AuthName ...
.....
</Directory >
</virtualhost>
--
Robert
| |
| Gertjan Klein 2006-02-22, 7:50 am |
| Robert Ionescu wrote:
>Gertjan Klein wrote:
>
>This should be spoosible, if you're placing the authentication
>directives inside of a <directory /path/to/protect> within your
><virtualhost ...:443> section.
Excellent, that works. Thanks very much. One additional question: my
VirtualHost ...:443 section is in a global configuration file. I have
altered this file for the site I want to protect, and that works fine.
However, I would prefer it if I could protect this particular directory
from an .htaccess file. Multiple VirtualHost declarations are apparently
not merged (Apache tells me that the first one takes precedence). Is
there a way to have this configuration in an .htaccess file? (If not,
I'll live with it, no problem ;).
Thanks again,
Gertjan.
--
Gertjan Klein <gklein@xs4all.nl>
| |
| Robert Ionescu 2006-02-22, 7:50 am |
| Gertjan Klein wrote:
> Robert Ionescu wrote:
>
[...][vbcol=seagreen]
> However, I would prefer it if I could protect this particular directory
> from an .htaccess file.
The .htaccess file is read by each request, regardless if you're
requesting the site via the http or https protocol. But you can't define
a conditional statement like
"only https" -> require valid-user
This is not possible. Even if the require directive would support a
second argument "env=env-variable" like the allow/deny directive does,
the problem would be to set some ENV. This could be done with
mod_rewrite and a condition which checks for https, but authorization
comes before mod_rewrite acts in per-dir context (.htaccess files).
If you need the protection for some more virtualhosts, try to place it
into a separate file and include it in each <virtualhost ...>.
--
Robert
| |
| Gertjan Klein 2006-02-22, 7:50 am |
| Robert Ionescu wrote:
>Gertjan Klein wrote:
>
>The .htaccess file is read by each request, regardless if you're
>requesting the site via the http or https protocol. But you can't define
>a conditional statement like
>"only https" -> require valid-user
OK, thanks for the explanation. I currently have only one site where I
would like to do such a thing; if in the future I want to do this for
other sites as well I'll follow your suggestion to place these
definitions in an include file.
Thanks again for your help, regards,
Gertjan.
--
Gertjan Klein <gklein@xs4all.nl>
|
|
|
|
|