使用 URL 重写通过 HTTPS 进行 HTTP 身份验证 [英] Do HTTP authentication over HTTPS with URL rewriting

问题描述

我正在尝试使用 http auth basic 保护 ~/public_html/dev 目录，但为了确保安全，我想通过 ssl 运行它.

I am trying to protect the ~/public_html/dev directory using http auth basic, but to make that secure I want to run it over ssl.

如果请求 URI 以 /dev 开头并且有效，则下面 .htaccess 文件的中间部分将切换到 https.

The middle section of the below .htaccess file switches to https if the request URI begins with /dev and works.

文件的最后一部分也能正常工作，但不能与 https 重定向一起正常工作.

The last section of the file works as well but does not work properly with the https redirect.

我基本上希望能够输入 http://www.example.com/dev/some_sub_dir/ 并被重定向到 https://www.example.com/dev/some_sub_dir/ 并提示输入 http auth 用户名和密码.

I basically want to be able to type http://www.example.com/dev/some_sub_dir/ and be redirected to https://www.example.com/dev/some_sub_dir/ and prompted for the http auth username and password.

当前发生的情况是，如果我转到 http://www.example.com/dev/some_sub_dir/，我会通过端口 80 提示输入用户名和密码，然后立即再次提示通过端口 443.所以我的凭据被发送两次，一次是明文，一次是加密.使整个 https url 重写有点毫无意义.

What currently happens is if I go to http://www.example.com/dev/some_sub_dir/ I get prompted for a username and password over port 80, and then immediately get prompted again over port 443. So my credentials are being sent twice, once in the clear, and once encrypted. Making the whole https url rewrite a little pointless.

这样做的原因是为了我不会不小心通过http提交我的用户/传递；https 将始终用于访问 /dev 目录.

The reason for doing this is so that I won't be able to accidentally submit my user/pass over http; https will always be used to access the /dev directory.

.htaccess 位于 ~/public_html/dev 目录中.

# Rewrite Rules for example.com
RewriteEngine On
RewriteBase /

# force /dev over https
RewriteCond %{HTTPS} !on
RewriteCond %{REQUEST_URI} ^/dev
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

# do auth
AuthType Basic
AuthName "dev"
AuthUserFile /home/matt/public_html/dev/.htpasswd
Require valid-user

推荐答案

在进行基本身份验证之前，有一种相对流行的 hack 方法可以强制使用 HTTPS.我第一次在这里看到它:

There is a relatively popular hack to force HTTPS before doing Basic Authentication. I first saw it here:

http://blog.jozjan.net/2008/02/htaccess-redirect-to-ssl-https-before.html

它涉及使用自定义错误文档来处理 HTTPS 检查失败后发生的任何事情.

It involves using a custom error document to handle whatever happens after the HTTPS check fails.

例如，我有一个页面需要强制启用 HTTPS，因此我在 .htaccess 文件中执行此操作:

For example, I have a single page I need to force HTTPS on, so I did this in an .htaccess file:

<FilesMatch "secure-page.php">
    SSLRequireSSL
    ErrorDocument 403 https://www.example.com/secure-page.php
    AuthType Basic
    AuthName "Secure Page"
    AuthUserFile /var/www/whatever/.htpasswdFile
    Require valid-user
</FilesMatch>

翻译成:

如果请求的页面是secure-page.php"——如果不是 HTTPS，则重定向到自定义错误页面"——错误页面"实际上只是页面的 HTTPS 版本——在第二个请求中，由于 HTTPS 检查现已通过，请执行基本身份验证 :)

if the requested page is 'secure-page.php' - if not HTTPS, then redirect to a custom 'error page' - the 'error page' is actually just the HTTPS version of the page - on the second request, since the HTTPS check now passes, perform Basic Auth :)

您可以将此概念扩展到目录或其他用例 - 您的自定义错误页面"可以是重定向到正确 HTTPS URL 的 php 页面，或者像上面链接中的 CGI 脚本...

You can extend this concept to a directory or other use cases - your custom 'error page' could be a php page that redirects to the correct HTTPS URL, or a CGI script like in the link above...

这篇关于使用 URL 重写通过 HTTPS 进行 HTTP 身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！