Basically, I wanted users who went to domain.com/private to be redirected to
https://domaincom.secure.powweb.com/private before the htaccess password prompt was displayed.
A problem I kept running into was when I would password-protect the /private folder using htaccess.... I wanted the htaccess login prompt to only show up and be on the https connection.. this is because if a user entered in the htaccess password over the http connection, a cracker could sniff the cleartext off the wire..
Another problem was sometimes the server certificate would say it didn't match the domain.. (like
https://domain.com/private)
Unless the user typed in
https://domaincom.secure.powweb.com/private the htaccess password prompt would show up 2 or more times before getting to the right place! And the first time it would be over an unencrypted channel!!! Unacceptable!
The method below totally fixes all these problems!
Now you are able to goto
http://www.domain.com/private, or
http://domain.com/private, or
http://domaincom.secure.powwebcom/private or any variation.. and the htaccess password prompt will ONLY pop-up if you are on an https SSL encrypted connection!
Code:
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "domaincom.secure.powweb.com"
AuthUserFile /www/d/domain/.htpasswd
AuthName "Private"
AuthType basic
require user admin56
ErrorDocument 403 https://domaincom.secure.powweb.com/private/index.php
Let me explain..
You put this in your htaccess file at /private/.htaccess What it does is says, if a connection is attempted to this /private/ directory, and it is not over an SSL encrypted connection, then do not allow it.
If the connection is therefore disallowed, the server serves the user with a 403 Error.. We also told the server that when a 403 ErrorDocument is served, serve this page
https://domaincom.secure.powweb.com/private/index.php instead of the default 403 ErrorDocument. This in effect, redirects any non-ssl connection to the /private/ folder to the 403 ErrorDocument you specified.
What if a user types in
https://domain.com/private?
Good question... now, this would result in a SSL encrypted connection to your /private folder, but because the domain is not domaincom.secure.powweb.com, you will get a security alert in your browser because it will not match the domain given in the powweb security certificate.
You could try using the rewrite module that comes with apache.. basically rewriting
https://domain.com/private to
https://domaincom.secure.powweb.com/private how to do this is beyond the scope of this document.. and I discourage using any rewrites due to the performance loss.
You shouldnt need to fix this anyway. By doing the above, you have already ensured that any htaccess password prompt will only pop-up via a SSL encrypted connection.
And, because of the SSLRequire line, you can specify that only connections from the correct domain will be allowed!
OTHER SUGGESTIONS
* I would suggest in your webpages to use links like /login/ instead of
https://domaincom.secure.powweb.com/login/
REFERENCES / MORE-READING
Register
Login
