[lug] Questions about Apache, .htaccess, and Basic Authorization
nagler at bivio.biz
Sun Dec 19 11:26:02 MST 2010
On Sun, Dec 19, 2010 at 8:37 AM, Ike Arumba wrote:
> 1) the exchange of username and password between server and client was
You should be able to see this in your log files. Do you keep a
separate ssl_log? This is the default in apache.
> 2) all following exchanges would use https and also be encrypted.
Once a browser goes to SSL, it will stay in SSL unless you generate links like:
<a href="http://foo.com/bla">Click here</a>
The user could edit the URL, but that's the user's issue.
> What I am not sure about is whether the exchange of username and password
> takes place before or after the switch from http to https, or even whether
> it matters?
Alas, I doubt it matters. Even with digest auth, the digest can be
cracked in seconds with modern computers. It's more of a "feel good"
thing that passwords are not sent in the clear.
I would recommend something like this:
RedirectPermanent / https://www.foo.com
and then have an virtual host with your Auth config
You don't have an "auth" anything in the port 80 VirtualHost so that
the server doesn't request auth from the user via a clear-text
More information about the LUG