Force SSL on Apache, with Auth and Canonical redirect

4
votes

I've read some posts on how to redirect to SSL, also some on how to make sure a site is using the www subdomain / canonical name, and some on how to set up Basic Auth. Here is what I have in my .htaccess file right now:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]


RewriteEngine on
RewriteCond %{HTTP_HOST} !(^www\.site\.com*)$
RewriteRule (.*) https://www.site.com$1 [R=301,L]


AuthName "Locked"
AuthUserFile "/home/.htpasswd"
AuthType Basic
require valid-user

It works fairly well, but I'd like to optimize it. My questions include:

  1. How do I avoid double authentication? When I access the site w.o. SSL I have to authenticate, and then I am redirected to SSL and have to authenticate again. Can I just be redirected and then authenticated?
  2. It looks like the first rule is pretty awesome because I could use it on any site without modifying it. Can rule #2 be rewritten to be site-independent? ie: it will force www to be used on any site no matter what the domain name is (with a better written rule)? answered here
  3. How would I do the reverse of number 3 with a rule that would work on any site to force the site not to use www, ie redirect to site.com from www.site.com? answered here
5
apache.htaccessredirectrewriteauthentication
I have something similar to this and I don't appear to be getting SSL i.imgur.com/SBaNTJj.png i.imgur.com/jF5A5ni.png i.imgur.com/yXINW75.pngsajattack

5 Answers

5
votes

For #1

How to avoid double authentication? Can I just be redirected and then authenticated?

Boom! This works.

SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "www.askapache.com"
ErrorDocument 403 https://www.askapache.com/admin/

See:

Just put that above block at the top of your .htaccess, here is mine:

SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "www.askapache.com"
ErrorDocument 403 https://www.askapache.com/admin/

AuthType Digest
AuthName "Protected By AskApache"
AuthDigestDomain / https://www.askapache.com/admin/
AuthUserFile /home/askapache/.htpasswd-digest
Require valid-user
Satisfy All
3
votes

If you're using Apache 2.4 you can also avoiding the double authentication using configuration sections.

# Redirect to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

# Authenticate users only when using HTTPS
<If "%{HTTPS} == 'on'">
    AuthType Basic
    AuthName "Special things"
    AuthUserFile /etc/blah.htpasswd
    Require valid-user
</If>

I've given a more refined version of this in my answer here.

2
votes

For #1:

Set the Auth instructions only on the VirtualHost which is listening on *:443. You should have 2 VirtualHosts, one listening on port 80 and one on port 443. Using AuthType Basic on non-SSL communication is a big issue, username and password are just base64 encoded, so it's in clear on every requests (even images or css) that are used on your http server!

1
votes

This is my solution in order to prevent double authentications of previous re-writes like:

RewriteCond %{HTTPS} ^off$ [NC]
RewriteCond %{REQUEST_URI} /administrator/*
RewriteRule ^(.*)$ https://%{SERVER_NAME}/$1 [R,L]


<If "%{HTTPS} == 'on'">
  AuthType       Basic
  AuthName      "Authorization Required"
  AuthUserFile   /var/www/vHost/etc/HTTP-Basic-Auth/htaccess-Users
  AuthGroupFile  /var/www/vHost/etc/HTTP-Basic-Auth/htaccess-Groups
  #require       valid-user
  require        group Webmins
</If>

<Else>
  ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
</Else>

Even though I don't the condition is really required - its more there as an additional security fallback if the Rewrite won't work for some reason.

0
votes

Thanks for the replied above, it help to create the combined https and www solution. My only concern is if there are certain conditions whereby the auth is not triggered allowing someone access without the credentials. I'm not sure there are, but maybe you bright people may say otherwise.

This code redirects non-www to www and http to https, with .htaccess folder auth.

This is the contents of the htaccess file in the directory you want to protect:

RewriteEngine on
# ensure www.
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/foldername/$1 [L,R=301]
# ensure https
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}/foldername/$1 [L,R=301]

# Apache 2.4 If
<If "%{HTTPS} == 'on' && %{HTTP_HOST} =~ /www/">
AuthType Basic
AuthName "Protected folder"
AuthUserFile "/home/etc/.htpasswds/public_html/foldername/passwd"
require valid-user
</If>