Apache config for sending only username/password via https/ssl

Author Message

Jonny Bergkvist

Monday 27 October 2003 12:19:29 pm

I have a eZ 3.2-site on Debian with Apache and Apache-SSL (not mod-ssl):

I have achieved to send all username/password in https (encrypted), and everything else goes in http (clear-text).

In apache/http it does a rewrite to https if you request a url-path that begins with /user.

And in apache-ssl/https it does a rewrite to http if you request another url-path than /user.

From /etc/apache/httpd.conf:
<VirtualHost *>
<Directory /ezroot>
Options FollowSymLinks Indexes ExecCGI
AllowOverride None
Order deny,allow
allow from all
</Directory>

ServerAdmin [email protected]
ServerName hostname.domain.com
ServerAlias admin.hostname.domain.com
DocumentRoot /ezroot/

RewriteEngine On
RewriteRule ^/user(.*)$ https://%{HTTP_HOST}/user$1 [L]
RewriteRule !\.(gif|css|jpg|png|jar|ico|js)$ /ezroot/index.php
</VirtualHost>


From /etc/apache-ssl/httpd.conf:
<VirtualHost *>
<Directory /ezroot>
Options FollowSymLinks Indexes ExecCGI
AllowOverride None
Order deny,allow
allow from all
</Directory>

ServerAdmin [email protected]
ServerName hostname.domain.com
ServerAlias admin.hostname.domain.com
DocumentRoot /ezroot/

SSLCACertificatePath /etc/apache-ssl/cert
SSLCACertificateFile /etc/apache-ssl/cert/ca.txt
SSLCertificateFile /etc/apache-ssl/cert/certificate.crt
SSLCertificateKeyFile /etc/apache-ssl/cert/private.key

RewriteEngine On
RewriteRule ^/user(.*)$ /ezroot/index.php [L]
RewriteRule ^(.*) http://%{HTTP_HOST}$1 [L]
</VirtualHost>

The only problem I have found with this config is that if you are not authenticated and open url: http://admin.hostname.domain.com/ then you are presented the login-page without the /user/login appended in the url-path. I think I must hack some of the php-code to append the /user/login to the url in order to get redirected to https...?

Except for that is seems to work fine. Please give me feedback about this config :-)

Regards, Jonny

Jonny Bergkvist

Tuesday 28 October 2003 4:34:52 am

I just found a solution that works for the http://admin.hostname.domain.com/ when not autenticated:

I repeat the rewrite-stuff including the new entries:

/etc/apache/htttp.conf:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^admin\.hostname\.domain\.com [NC]
RewriteRule ^/$ https://%{HTTP_HOST} [L]

RewriteRule ^/user(.*)$ https://%{HTTP_HOST}/user$1 [L]
RewriteRule !\.(gif|css|jpg|png|jar|ico|js)$ /ezroot/index.php

/etc/apache-ssl/httpd.conf:
RewriteEngine On
RewriteRule ^/user(.*)$ /ezroot/index.php [L]
RewriteRule ^/$ /ezroot/index.php [L]
RewriteRule \.(gif|css|jpg|png|jar|ico|js)$ %{REQUEST_URI} [S=1]
RewriteRule ^(.*) http://%{HTTP_HOST}$1 [L]

Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.