[lug] Questions about Apache, .htaccess, and Basic Authorization

Rob Nagler nagler at bivio.biz
Sun Dec 19 11:26:02 MST 2010

On Sun, Dec 19, 2010 at 8:37 AM, Ike Arumba wrote:
> 1) the exchange of username and password between server and client was
> encrypted

You should be able to see this in your log files.  Do you keep a
separate ssl_log? This is the default in apache.

> 2) all following exchanges would use https and also be encrypted.

Once a browser goes to SSL, it will stay in SSL unless you generate links like:

<a href="http://foo.com/bla">Click here</a>

The user could edit the URL, but that's the user's issue.

> What I am not sure about is whether the exchange of username and password
> takes place before or after the switch from http to https, or even whether
> it matters?

Alas, I doubt it matters.  Even with digest auth, the digest can be
cracked in seconds with modern computers.  It's more of a "feel good"
thing that passwords are not sent in the clear.

I would recommend something like this:

<VirtualHost *>
    ServerName foo.com
    RedirectPermanent / https://www.foo.com

and then have an virtual host with your Auth config

<VirtualHost foo.com:443>
    <Location />
        SSLOptions +StrictRequire
        AuthType Basic

You don't have an "auth" anything in the port 80 VirtualHost so that
the server doesn't request auth from the user via a clear-text


More information about the LUG mailing list