Tue 20 Jun 2006
I just wanted to share a couple new techniques I’ve learned:
The first is pretty simple - Apple’s mod_auth_apple supports authentication against local accounts. This means there’s no need to maintain a separate .htpasswd list. You can just create a .htgroups file with groups defined as:
groupname: user1 user2…
where the users are usernames for local accounts (note the that account password type can be either shadow or OpenDirectory). The .htaccess configuration is the same as if you were using mod_auth:
AuthName “My Protected Area”
AuthType Basic
AuthGroupFile /path/to/.htgroups
Require group groupname
The second trick I’ve learned deals with the interaction between mod_auth (or mod_auth_apple), mod_rewrite, and SSL. You can use mod_rewrite to force a directory to use SSL by adding something like this to the .htaccess file:
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R=permanent,L]
This rewrites all non-SSL connections to SSL connections; it’s more user-friendly than SSLRequireSSL, which just displays an error for non-SSL connections. However, problems arise when the directory is also protected with mod_auth. The authentication directives are read before the rewrite directives, so the user is prompted to authenticate over a non-SSL connection. Then the rewrites kick in, and rewrites to a SSL connection. Mod_auth sees that the URL has changed, and prompts to user for authentication again. So, what the user sees is one unsecure prompt, followed by a second secure prompt. This is both a security risk and confusing to the user.
The solution I’ve found is to put the rewrite rules in a .htaccess file in the target directory, but to put the authentication rules in the virtual host configuration for port 443 only. This way, when the user attempts a non-SSL connection, there are no authentication rules in place, and the rewrite happens immediately. Once the URL has been rewritten to SSL (and thus to port 443), Apache now sees that that are authentication rules in place and prompts the user to supply a username and password over a secure connection.
This solution could be cleaner if there were an Apache directive similar to that would allow you to discriminate by port number - if this were available, the entire configuration could go in a .htaccess file. As it is now, you have to configure two virtual hosts for each site, one on port 80 and one on port 443. OS X configures sites this way by default, but other for other servers this fix might require more work.
Leave a Reply
You must be logged in to post a comment.
