做HTTP认证通过HTTPS与URL重写 [英] Do HTTP authentication over HTTPS with URL rewriting
问题描述
我试图用保护〜/的public_html的/ dev 目录HTTP认证基本的,但使该安全我想通过SSL运行它。
的下面的.htaccess 文件开关中间部分为https如果请求的URI始于的/ dev 和作品。
该文件的最后一节的作品很好,但与HTTPS重定向不能正常工作。
基本上,我希望能够键入 http://www.example.com/dev/some_sub_dir/ 并重定向到 HTTPS: //www.example.com/dev/some_sub_dir / 并提示输入HTTP认证的用户名和密码。
目前是什么情况是,如果我去 http://www.example.com/dev/some_sub_dir/ 我得到提示通过端口80用户名和密码,然后立即得到了443端口。因此,我的凭据被发送两次,一次在清澈的,而一旦加密再次提示。使得整个HTTPS URL重写一点没有意义的。
这样做的原因是这样的话,我将无法提交意外我的用户名/密码通过http; HTTPS将始终用来访问的/ dev 目录。
的的.htaccess 是〜/的public_html的/ dev 目录。
#重写规则的example.com
RewriteEngine叙述在
的RewriteBase /#力的/ dev通过https
的RewriteCond%{} HTTPS!上
的RewriteCond%{REQUEST_URI} ^的/ dev
重写规则HTTPS(。*)://%{HTTP_HOST}%{REQUEST_URI}#做AUTH
AuthType选项基本
AuthName指令开发
的AuthUserFile /home/matt/public_html/dev/.htpasswd
需要有效的用户
有一个比较流行的黑客做的基本身份验证之前,强制HTTPS。我第一次看到在这里:
<一个href=\"http://blog.jozjan.net/2008/02/htaccess-redirect-to-ssl-https-before.html\">http://blog.jozjan.net/2008/02/htaccess-redirect-to-ssl-https-before.html
它涉及到使用自定义错误文档处理HTTPS检查失败后,无论发生什么事。
例如,我有一个页面,我需要强制使用HTTPS,所以我这样做在.htaccess文件:
&LT; FilesMatch安全-page.php&GT;
SSLRequireSSL
的ErrorDocument 403 https://www.example.com/secure-page.php
AuthType选项基本
AuthName指令安全页面
的AuthUserFile /var/www/whatever/.htpasswdFile
需要有效的用户
&LT; / FilesMatch&GT;
翻译过来就是:
如果请求的页面安全-page.php' - 如果不是HTTPS,然后重定向到一个自定义的错误页面 - 在错误页面其实只是该页面的HTTPS版本 - 在第二次请求,由于HTTPS检查通过了,执行基本验证:)
您可以将此概念延伸到一个目录或其他使用案例 - 自定义的错误页面可能是一个PHP页面重定向到正确的HTTPS URL,或者像在上面的链接的CGI脚本...
I am trying to protect the ~/public_html/dev directory using http auth basic, but to make that secure I want to run it over ssl.
The middle section of the below .htaccess file switches to https if the request URI begins with /dev and works.
The last section of the file works as well but does not work properly with the https redirect.
I basically want to be able to type http://www.example.com/dev/some_sub_dir/ and be redirected to https://www.example.com/dev/some_sub_dir/ and prompted for the http auth username and password.
What currently happens is if I go to http://www.example.com/dev/some_sub_dir/ I get prompted for a username and password over port 80, and then immediately get prompted again over port 443. So my credentials are being sent twice, once in the clear, and once encrypted. Making the whole https url rewrite a little pointless.
The reason for doing this is so that I won't be able to accidentally submit my user/pass over http; https will always be used to access the /dev directory.
The .htaccess is in the ~/public_html/dev directory.
# Rewrite Rules for example.com
RewriteEngine On
RewriteBase /
# force /dev over https
RewriteCond %{HTTPS} !on
RewriteCond %{REQUEST_URI} ^/dev
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
# do auth
AuthType Basic
AuthName "dev"
AuthUserFile /home/matt/public_html/dev/.htpasswd
Require valid-user
There is a relatively popular hack to force HTTPS before doing Basic Authentication. I first saw it here:
http://blog.jozjan.net/2008/02/htaccess-redirect-to-ssl-https-before.html
It involves using a custom error document to handle whatever happens after the HTTPS check fails.
For example, I have a single page I need to force HTTPS on, so I did this in an .htaccess file:
<FilesMatch "secure-page.php">
SSLRequireSSL
ErrorDocument 403 https://www.example.com/secure-page.php
AuthType Basic
AuthName "Secure Page"
AuthUserFile /var/www/whatever/.htpasswdFile
Require valid-user
</FilesMatch>
Which translates to:
if the requested page is 'secure-page.php' - if not HTTPS, then redirect to a custom 'error page' - the 'error page' is actually just the HTTPS version of the page - on the second request, since the HTTPS check now passes, perform Basic Auth :)
You can extend this concept to a directory or other use cases - your custom 'error page' could be a php page that redirects to the correct HTTPS URL, or a CGI script like in the link above...
这篇关于做HTTP认证通过HTTPS与URL重写的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
