Allow from referer for HTTP-basic protected SSL apache site

Posted by user64204 on Server Fault See other posts from Server Fault or by user64204
Published on 2012-03-19T09:05:34Z Indexed on 2012/03/19 10:07 UTC
Read the original article Hit count: 295

Filed under:
|
|

I have an apache site protected by HTTP basic authentication. The authentication is working fine. Now I would like to bypass authentication for users that are coming from a particular website by relying on the HTTP Referer header.

Here is the configuration:

    SetEnvIf Referer "^http://.*.example\.org" coming_from_example_org
    <Directory /var/www/>
            Options Indexes FollowSymLinks MultiViews
            AllowOverride None
            Deny from all
            Allow from env=coming_from_example_org
            AuthName "login required"
            AuthUserFile /opt/http_basic_usernames_and_passwords
            AuthType Basic
            Require valid-user
            Satisfy Any
    </Directory>

This is working fine for HTTP, but failing for HTTPS. My understanding is that in order to inspect the HTTP headers, the SSL handshake must be completed, but apache wants to inspect the <Directory> directives before doing the SSL handshake, even if I place them at the bottom of the configuration file.

Q: How could I workaround this issue?

PS: I'm not obsessed with the HTTP referer header, I could use other options that would allow users from a known website to bypass authantication.

© Server Fault or respective owner

Related posts about apache2

Related posts about ubuntu