Allow from referer for HTTP-basic protected SSL apache site
- by user64204
I have an apache site protected by HTTP basic authentication. The authentication is working fine. Now I would like to bypass authentication for users that are coming from a particular website by relying on the HTTP Referer header.
Here is the configuration:
SetEnvIf Referer "^http://.*.example\.org" coming_from_example_org
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Deny from all
Allow from env=coming_from_example_org
AuthName "login required"
AuthUserFile /opt/http_basic_usernames_and_passwords
AuthType Basic
Require valid-user
Satisfy Any
</Directory>
This is working fine for HTTP, but failing for HTTPS. My understanding is that in order to inspect the HTTP headers, the SSL handshake must be completed, but apache wants to inspect the <Directory> directives before doing the SSL handshake, even if I place them at the bottom of the configuration file.
Q: How could I workaround this issue?
PS: I'm not obsessed with the HTTP referer header, I could use other options that would allow users from a known website to bypass authantication.