Using Apache 2.2, I would like to use mod_rewrite to redirect un-authenticated users to use https, if they are on http.. Is there a directive or condition one can test for whether a user is (not) authenticated?
For example, I could have set up the restricted /foo
location on my server:-
<Location "/foo/">
Order deny,allow
# Deny everyone, until authenticated...
Deny from all
# Authentication mechanism
AuthType Basic
AuthName "Members only"
# AuthBasicProvider ...
# ... Other authentication stuff here.
# Users must be valid.
Require valid-user
# Logged-in users authorised to view child URLs:
Satisfy any
# If not SSL, respond with HTTP-redirect
RewriteCond ${HTTPS} off
RewriteRule /foo/?(.*)$ https://${SERVER_NAME}/foo/$2 [R=301,L]
# SSL enforcement.
SSLOptions FakeBasicAuth StrictRequire
SSLRequireSSL
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
</Location>
The problem here is that every file, in every subfolder, will be encrypted. This is quite unnecessary, but I see no reason to disallow it. What I would like is the RewriteRule
to only be triggered during authentication. If a user is already authorised to view a folder, then I don't want the RewriteRule
to be triggered. Is this possible?
EDIT:
I am not using any front-end HTML here. This is only using Apache's built-in directory browsing interface and its in-built authentication mechanisms. My <Directory>
config is:
<Directory ~ "/foo/">
Order allow,deny
Allow from all
AllowOverride None
Options +Indexes +FollowSymLinks +Includes +MultiViews
IndexOptions +FancyIndexing
IndexOptions +XHTML
IndexOptions NameWidth=*
IndexOptions +TrackModified
IndexOptions +SuppressHTMLPreamble
IndexOptions +FoldersFirst
IndexOptions +IgnoreCase
IndexOptions Type=text/html
</Directory>
You seem to be confused how Basic Authentication works. Basic Authentication requires a password lookup for every request e.g. loading a html page with 100 images requires handling of at least 100 authentication requests. Specifically, if SSL/TLS is not used, then the credentials are passed as plaintext and could be intercepted. Enabling https only for a login page makes sense when you use cookie based authentication (e.g. http://finesec.com/sitedefensor.html)