Apache directive for authenticated users?
Posted
by
Alex Leach
on Server Fault
See other posts from Server Fault
or by Alex Leach
Published on 2012-12-06T00:31:29Z
Indexed on
2012/12/07
5:08 UTC
Read the original article
Hit count: 426
Using Apache 2.2, I would like to use mod_rewrite to redirect un-authenticated users to use https, if they are on http.. Is there a directive or condition one can test for whether a user is (not) authenticated?
For example, I could have set up the restricted /foo
location on my server:-
<Location "/foo/">
Order deny,allow
# Deny everyone, until authenticated...
Deny from all
# Authentication mechanism
AuthType Basic
AuthName "Members only"
# AuthBasicProvider ...
# ... Other authentication stuff here.
# Users must be valid.
Require valid-user
# Logged-in users authorised to view child URLs:
Satisfy any
# If not SSL, respond with HTTP-redirect
RewriteCond ${HTTPS} off
RewriteRule /foo/?(.*)$ https://${SERVER_NAME}/foo/$2 [R=301,L]
# SSL enforcement.
SSLOptions FakeBasicAuth StrictRequire
SSLRequireSSL
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
</Location>
The problem here is that every file, in every subfolder, will be encrypted. This is quite unnecessary, but I see no reason to disallow it. What I would like is the RewriteRule
to only be triggered during authentication. If a user is already authorised to view a folder, then I don't want the RewriteRule
to be triggered. Is this possible?
EDIT:
I am not using any front-end HTML here. This is only using Apache's built-in directory browsing interface and its in-built authentication mechanisms. My <Directory>
config is:
<Directory ~ "/foo/">
Order allow,deny
Allow from all
AllowOverride None
Options +Indexes +FollowSymLinks +Includes +MultiViews
IndexOptions +FancyIndexing
IndexOptions +XHTML
IndexOptions NameWidth=*
IndexOptions +TrackModified
IndexOptions +SuppressHTMLPreamble
IndexOptions +FoldersFirst
IndexOptions +IgnoreCase
IndexOptions Type=text/html
</Directory>
© Server Fault or respective owner