Forum

I've a virtual host with SSL and basic authentication activated.
I've noticed that the authentication is required before the digital certificate.

It is possible to protect the authentication with SSL???

VirtualHost {
	Hostname = my-domain
	WebsiteRoot = /var/www/my-domain/my-folder
	StartFile = admin.php
	AccessLogfile = /var/www/my-domain/log/access.log
	ErrorLogfile = /var/www/my-domain/log/error.log
	ExecuteCGI = yes
	FastCGI = PHP5
	RequireSSL = yes
	PasswordFile = basic:/var/www/my-domain/.passwords
}

Hi Pippo,

if you use both RequireSSL and HTTP authentication for a (virtual) host, then the redirect to HTTPS is done before the authentication. So, the passwords that are being submitted are protected by SSL.

Can you tell me what makes you think that this is not the case?

I've tried to connect to my domain from a friend's computer. This was the first time i used that computer to connect to my domain.

The browser was iceweasel. At the first connection the authentication came first than SSL certificate.

I've checked the code for this, but the SSL check is done before the authentication check. So, if you connect to a virtual host with HTTP authentication and RequireSSL set to 'yes', you should first recieve a 301 error with a Location HTTP header to the HTTPS version of the URL, and when you connect again via HTTPS, you should recieve the 401.

Is it possible you are mistaken somehow? Because the code is clear about this. SSL check: line 940 of hiawatha.c and auth. check on line 963.

You are right.

In one of my virtual host i make a 301 redirection to another internal web server with SSL. I've enabled basic authentication but disable RequireSSL . So, first hiawatha require basic authentication (obviously without encryption)...then the SSL certificate exchange is from the ohter internal webserver.

Sorry again!!!

No problem.