[opensuse] 11.0 Apache2 SSL AuthDBM - Prompted for user/passwd Twice?
Listmates:
Working with apache2 on 11.0 to tighten security a bit of a few
directories. I have the security set like I want it -- almost. The
problem is that when trying to access a directory, I get asked for the
username and password twice?
The server is setup using a self signed certificate with the
certificate signing pw removed so you are not prompted on server start.
The httpd.conf.local setting for the directories in question are:
David C. Rankin wrote:
Using lynx, I am asked for the user/password for:
www.3111skyline.com "Restricted Files" (makes sense)
and then immediately again for the user/password for:
www.3111skyline.com:443 "Restricted Files" (doesn't make sense)
David, those are two different authentication contexts. /Per -- /Per Jessen, Zürich -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
David C. Rankin wrote:
Listmates:
Working with apache2 on 11.0 to tighten security a bit of a few directories. I have the security set like I want it -- almost. The problem is that when trying to access a directory, I get asked for the username and password twice?
Why does Apache ask for my password twice before serving a file? If the hostname under which you are accessing the server is different than the hostname specified in the ServerName directive, then depending on the setting of the UseCanonicalName directive, Apache will redirect you to a new hostname when constructing self-referential URLs. This happens, for example, in the case where you request a directory without including the trailing slash. When this happens, Apache will ask for authentication once under the original hostname, perform the redirect, and then ask again under the new hostname. For security reasons, the browser must prompt again for the password when the host name changes. To eliminate this problem you should 1. Always use the trailing slash when requesting directories; 2. Change the ServerName to match the name you are using in the URL; and/or 3. Set UseCanonicalName off. ________ In 2.2 UseCanonicalName _is_ off by default, so my problem was limited to calling the directory without the trailing slash. Now even with the https:// rewrite, I am only asked for the password once ;-) -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Countdown for openSuSE 11.1 Nacogdoches, Texas 75961 http://counter.opensuse.org/11.1/small Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
David C. Rankin wrote:
David C. Rankin wrote:
To eliminate this problem you should
1. Always use the trailing slash when requesting directories; 2. Change the ServerName to match the name you are using in the URL; and/or 3. Set UseCanonicalName off.
________
In 2.2 UseCanonicalName _is_ off by default, so my problem was limited to calling the directory without the trailing slash. Now even with the https:// rewrite, I am only asked for the password once ;-)
Damn,
Spoke too soon. There is still a multiple password prompt when the https
rewrite is invoked. Is there a way I can change the order of the directory
definition in httpd.conf to avoid this?
The directory definition is again:
On Sun, Nov 16, 2008 at 00:12, David C. Rankin
Spoke too soon. There is still a multiple password prompt when the https rewrite is invoked. Is there a way I can change the order of the directory definition in httpd.conf to avoid this?
The HTTP re-write is being password protected, that is: 1) User requests http://site.com/whatever/ -> Authentication request #1 2) Rewrite to https://site.com/whatever/ 3) Authentication #2 on the "new site"... the browser treats https://site.com & http://site.com as 2 different sites. So simply setup the not https directory not to be password protected. Of course do not serve the files there, just the redirect/rewrite. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Andrew Joakimsen wrote:
On Sun, Nov 16, 2008 at 00:12, David C. Rankin
wrote: Spoke too soon. There is still a multiple password prompt when the https rewrite is invoked. Is there a way I can change the order of the directory definition in httpd.conf to avoid this?
The HTTP re-write is being password protected, that is:
1) User requests http://site.com/whatever/ -> Authentication request #1 2) Rewrite to https://site.com/whatever/ 3) Authentication #2 on the "new site"... the browser treats https://site.com & http://site.com as 2 different sites.
So simply setup the not https directory not to be password protected. Of course do not serve the files there, just the redirect/rewrite.
Thanks, but in this situation, the there isn't a way to separate files for access either by http or https, there is only one set of files that must be available to both protocols. The rewrite only occurs for access by IPs outside the local lan. I don't want users on the local lan to have to use https to access the files, but I do want everyone to have to authenticate. I don't want people outside the lan to access the files without https to prevent passwords from flying across public space in the clear. I know that http:// and https:// are two different authentication contexts, but why can't I just do a redirect before the authentication takes place? I'll keep digging. -- David C. Rankin, J.D.,P.E. | Rankin Law Firm, PLLC | Countdown for openSuSE 11.1 510 Ochiltree Street | http://counter.opensuse.org/11.1/small Nacogdoches, Texas 75961 | Telephone: (936) 715-9333 | openSoftware und SystemEntwicklung Facsimile: (936) 715-9339 | http://www.opensuse.org/ www.rankinlawfirm.com | -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, Nov 17, 2008 at 01:38, David C. Rankin
Andrew Joakimsen wrote:
On Sun, Nov 16, 2008 at 00:12, David C. Rankin
wrote: Spoke too soon. There is still a multiple password prompt when the https rewrite is invoked. Is there a way I can change the order of the directory definition in httpd.conf to avoid this?
The HTTP re-write is being password protected, that is:
1) User requests http://site.com/whatever/ -> Authentication request #1 2) Rewrite to https://site.com/whatever/ 3) Authentication #2 on the "new site"... the browser treats https://site.com & http://site.com as 2 different sites.
So simply setup the not https directory not to be password protected. Of course do not serve the files there, just the redirect/rewrite.
Thanks, but in this situation, the there isn't a way to separate files for access either by http or https, there is only one set of files that must be available to both protocols.
The rewrite only occurs for access by IPs outside the local lan. I don't want users on the local lan to have to use https to access the files, but I do want everyone to have to authenticate. I don't want people outside the lan to access the files without https to prevent passwords from flying across public space in the clear.
I know that http:// and https:// are two different authentication contexts, but why can't I just do a redirect before the authentication takes place?
If it is internal vs external why can't you use 2 IP addresses on the system, then setup on the 2nd IP the HTTPS server and HTTP virtualhost without authentication with only the redirect. I assume you are using some sort of firewall device for your external access in which case this should work well (just don't forget to change what IP address the firewall forwards to. Or you can make both the http and https be a redirect without a password, based on the connection bein internal or external it will forward to the correct place. It will require you change the URL the files are at but with the redirect any old links will still work. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Andrew Joakimsen wrote:
On Mon, Nov 17, 2008 at 01:38, David C. Rankin
wrote: Andrew Joakimsen wrote:
On Sun, Nov 16, 2008 at 00:12, David C. Rankin
wrote: Spoke too soon. There is still a multiple password prompt when the https rewrite is invoked. Is there a way I can change the order of the directory definition in httpd.conf to avoid this?
The HTTP re-write is being password protected, that is:
1) User requests http://site.com/whatever/ -> Authentication request #1 2) Rewrite to https://site.com/whatever/ 3) Authentication #2 on the "new site"... the browser treats https://site.com & http://site.com as 2 different sites.
So simply setup the not https directory not to be password protected. Of course do not serve the files there, just the redirect/rewrite.
Thanks, but in this situation, the there isn't a way to separate files for access either by http or https, there is only one set of files that must be available to both protocols.
The rewrite only occurs for access by IPs outside the local lan. I don't want users on the local lan to have to use https to access the files, but I do want everyone to have to authenticate. I don't want people outside the lan to access the files without https to prevent passwords from flying across public space in the clear.
I know that http:// and https:// are two different authentication contexts, but why can't I just do a redirect before the authentication takes place?
If it is internal vs external why can't you use 2 IP addresses on the system, then setup on the 2nd IP the HTTPS server and HTTP virtualhost without authentication with only the redirect. I assume you are using some sort of firewall device for your external access in which case this should work well (just don't forget to change what IP address the firewall forwards to.
Or you can make both the http and https be a redirect without a password, based on the connection bein internal or external it will forward to the correct place. It will require you change the URL the files are at but with the redirect any old links will still work.
OK, The light bulb is starting to show a dim-glow... What you're saying is that instead of having both internal and external access www.3111skyline.com, split it up so internal addresses go to 192.168.12.14 and external access goes to 66.76.66.63? I guess that's IP virtual hosting instead of name based virtual hosting. (Is the light bolb growing in the right direction -- or were you thinking something else??) -- David C. Rankin, J.D.,P.E. | Rankin Law Firm, PLLC | Countdown for openSuSE 11.1 510 Ochiltree Street | http://counter.opensuse.org/11.1/small Nacogdoches, Texas 75961 | Telephone: (936) 715-9333 | openSoftware und SystemEntwicklung Facsimile: (936) 715-9339 | http://www.opensuse.org/ www.rankinlawfirm.com | -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
Andrew Joakimsen
-
David C. Rankin
-
Per Jessen