Allow from referer for HTTP-basic protected SSL apache site
Posted
by
user64204
on Server Fault
See other posts from Server Fault
or by user64204
Published on 2012-03-19T09:05:34Z
Indexed on
2012/03/19
10:07 UTC
Read the original article
Hit count: 295
I have an apache site protected by HTTP
basic authentication. The authentication is working fine. Now I would like to bypass authentication for users that are coming from a particular website by relying on the HTTP Referer
header.
Here is the configuration:
SetEnvIf Referer "^http://.*.example\.org" coming_from_example_org
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Deny from all
Allow from env=coming_from_example_org
AuthName "login required"
AuthUserFile /opt/http_basic_usernames_and_passwords
AuthType Basic
Require valid-user
Satisfy Any
</Directory>
This is working fine for HTTP
, but failing for HTTPS
. My understanding is that in order to inspect the HTTP
headers, the SSL
handshake must be completed, but apache
wants to inspect the <Directory>
directives before doing the SSL
handshake, even if I place them at the bottom of the configuration file.
Q: How could I workaround this issue?
PS: I'm not obsessed with the HTTP referer
header, I could use other options that would allow users from a known website to bypass authantication.
© Server Fault or respective owner