logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in  RSS Apache Lounge  


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.



Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Cloudflare + Forced SSL + auth on directory
Author
buee



Joined: 25 Nov 2019
Posts: 1

PostPosted: Mon 25 Nov '19 22:23    Post subject: Cloudflare + Forced SSL + auth on directory Reply with quote

I hope I'm asking in the right area.

Here's what I have. Apache 2.4.18 on Ubuntu 16.04 server.

I have my main website in a vhost, call it domain.com. This is proxied through CloudFlare.

I also have a vhost for manage.domain.com which listens on 80 and 443. This is also proxied through CloudFlare and I have a .htaccess file in the root of the directory containing:

Code:
RewriteEngine On
RewriteCond %{HTTP:CF-Visitor} '"scheme":"http"'
RewriteRule ^(.*)$ https://manage.domain.com/$1 [R=301,L]


The goal being that any visitors to this page get forced to HTTPS. Under this vhost, I have a directory "audit". This is gated by basic auth and also (attempting to) forced SSL. This is the current version of my .htaccess file under /audit/:

Code:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{HTTP:CF-Visitor} '"scheme":"http"'
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

AuthType Basic
AuthName "Authorized Access Only"
AuthUserFile /etc/apache2/.htpasswd
Require user myuser


The current behavior is that manage.domain.com redirects to HTTPS as desired, but when I go to manage.domain.com/audit/, I'm prompted for auth but in HTTP, not HTTPS. I want forced HTTPS for all things related to manage.domain.com.

I've spent the last ~2 hours Googling and all the answers out there (that reportedly work for other people) result in 1 of 3 results:
  1. Too many redirects
  2. Successful access to manage.domain.com/audit/ without auth - EEK!
  3. Redirected back to my main website, domain.com

The only thing I can think of is that the CloudFlare proxy is involved and conflicting with my .htaccess redirects. So is there a way to do what I want? Simply force redirect to HTTPS and then prompt for auth.
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 100
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Tue 26 Nov '19 6:52    Post subject: Reply with quote

Hello,
I don't have any experience with cloudflare, but I guess, that the module to handle the basic-auth-stuff is triggered before the rewrite-things which results in asking-user-for-password-before-redirect-to-https.
So you might try this approach (which I found here: https://www.agix.com.au/force-to-https-for-basic-authentication-apache-htaccess/) which only asks for credentials over https:
Code:
# Force from HTTP to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Secure this /secured section
#<If "%{HTTPS} == 'on'">
 AuthUserFile /etc/httpd/website1.password
 AuthName "Authorized Access Only"
 AuthUserFile /etc/apache2/.htpasswd
 Require user myuser
#</If>

Another idea can be found at http://blog.jozjan.net/2008/02/htaccess-redirect-to-ssl-https-before.html which uses a custom-error-page to do the redirect and uses SSLRequireSSL to "produce" an 403-error if not accessing using https:
Code:
AuthName 'Enter your Username and Password:'
AuthType Basic
AuthUserFile /var/www/myweb/.htpasswd
Require valid-user
<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|.*auth).*">
      SSLRequireSSL
      ErrorDocument 403 /bin/move.pl
      Require valid-user
</FilesMatch>

and the move.pl file goes here:
Code:
#!/usr/bin/perl -T
use CGI qw(:standard);

$path = "https://$ENV{'SERVER_NAME'}$ENV{'REQUEST_URI'}";
if ( $ENV{'SERVER_PORT'} == 80) {
    print "Status: 302 Moved\n";
    print "Location: $path\n\n";
}
else {
    print "Content-type: text/html\n\n";
    print "How did you get here???";
}
Back to top


Reply to topic   Topic: Cloudflare + Forced SSL + auth on directory View previous topic :: View next topic
Post new topic   Forum Index -> Apache