如何将基本身份验证和 https 结合起来?
我设置了一个私人网站,只有少数人可以通过互联网访问该网站。我想设置基本身份验证和 https 的组合。
到目前为止,如果我直接输入 https://blah.com/location1,一切正常。但是我需要是将apache重定向http://blah.com/location1到https://blah.com/location1并且然后进行基本身份验证,即我不希望在重定向之前完成基本身份验证。目前,这就是我的 apache 配置。
WSGIScriptAlias /site /path/to/site/apache/site.wsgi
<Directory /path/to/site/apache>
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
</Directory>
<Location /site>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
AuthType Basic
AuthName "Site login"
AuthUserFile /path/to/site/.htpasswd
Require valid-user
</Location>
注意:我只需要/site的身份验证。所以我应该能够访问 http://blah.com/site1、http://blah.com/site2 而无需身份验证。
I have setup a private website that needs to be accessible by only a few people via the internet. I'd like to setup a combination of basic authentication and https.
So far I have everything works ok if I directly type in https://blah.com/location1. However what I need is to have apache redirect http://blah.com/location1 to https://blah.com/location1 and THEN do basic authentication i.e I don't want basic authentication to be done before the redirection. At the moment this is what I have on my apache config.
WSGIScriptAlias /site /path/to/site/apache/site.wsgi
<Directory /path/to/site/apache>
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
</Directory>
<Location /site>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
AuthType Basic
AuthName "Site login"
AuthUserFile /path/to/site/.htpasswd
Require valid-user
</Location>
Note: I only need the authentication for /site. So I should be able to access http://blah.com/site1, http://blah.com/site2 without needing authentication.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
将 HTTP 请求“转换”为 HTTPS 请求的重写规则的问题在于,它们不会阻止通过纯 HTTP 发出第一个请求(当您重定向到 HTTPS URL 时)。
您可以做的是将您的站点分成两个虚拟主机:一个用于 HTTP,另一个用于 HTTPS。
在 HTTP 虚拟主机上,如果需要,可以实现重写,但在所有情况下都禁止访问
在 HTTPS 虚拟主机上,使用基本身份验证配置
The problem with the rewrite rules that "convert" HTTP requests into HTTPS requests is that they don't prevent the first request to be made over plain HTTP (as you get a redirect to the HTTPS URL).
What you could do is split your site into two virtual hosts: one for HTTP and one for HTTPS.
On the HTTP virtual host, implement the rewrite if you want, but forbid access to
<Location /location1>in all cases (only do the rewrite).On the HTTPS virtual host, configure
<Location /location1>with basic authentication.我在这里回复Apache 2.2 重定向到 SSL *然后* 进行身份验证(使用解决方案<但这是垃圾吗?),一个使用
SSLRequireSSL的解决方案,以及ErrorDocument 403返回包含 JavaScript 的 html 403 错误页面,该页面会将页面重新加载到 HTTPS ...我发现的最佳解决方案,无需将配置文件一分为二,一个由VirtualHost加载端口 HTTP,另一个端口 HTTPS。I replied here Apache 2.2 redirect to SSL *then* do auth (with solution < but is it crap?), a solution which use
SSLRequireSSL, and aErrorDocument 403returning an html 403 error page containing a JavaScript which will reload the page to HTTPS ... the best solution I found without splitting the configuration file in two, one loaded by theVirtualHoston port HTTP, on the other on port HTTPS.