Reputation: 412
HTTP basic auth over SSL
So, I have an SSL certificate for secure.domain.com. I run a few admin web applications on this domain (git repo etc), authenticated using .htaccess basic auth.
When I communicate with the domain over https and it asks me to authenticate, has it verified the certificate or does it verify after I've authenticated?
Similarly, if I connect over http, is there a simple way to forward to request to https and then authenticate?
Upvotes: 1
Views: 3022
Answers (2)
Reputation: 143876
When I communicate with the domain over https and it asks me to authenticate, has it verified the certificate or does it verify after I've authenticated?
SSL is a separate layer from the HTTP protocol, BASIC authentication is part of the HTTP protocol. The SSL handshake happens first before any protocol information is sent. Depending on the endpoints doing the handshake and how they go about verifying each other's certificate, it may not do any verification at all. But if it does happen (and probably all widely used browsers do), it happens during the handshake, before any authentication data is sent.
Similarly, if I connect over http, is there a simple way to forward to request to https and then authenticate?
There's several ways to do this. There's a lot of questions on StackOverflow asking how to do this, search for "force https". It's probably going to come down to which config files you have access to. If you have access to your vhost config, then add a Redirect directive in the vhost for the non-SSL config and redirect to https. Otherwise you'll need to do this in an .htaccess file. Something along the lines of this (in your non-SSL site):
Redirect 301 / https://yourdomain.com/
Upvotes: 3
Reputation: 9635
The SSL or TLS session that HTTPS uses gets built before any HTTP traffic gets sent. This includes certification verification. Once the session is built, then HTTP traffic goes over it, starting with the GET/POST/whatever, then the server responds as normal, with the WWW-Authenticate header that triggers the login box.
As for redirecting to HTTPS from HTTP, that depends on what server you're using. Since it's tagged .htaccess, I'm going to assume Apache, for that, something like this in the .htaccess file should do it:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Upvotes: 4
Related Questions
- HTTP basic authentication over SSL for REST API
- Do HTTP authentication over HTTPS with URL rewriting
- HTTP Basic Authentication for specific domain
- Force HTTP AUTH over HTTPS
- HTTP Basic Authentication credentials passed in URL and encryption
- Apache Basic Auth only for Requests with URL Path
- Use basic auth for different URIs in a .htaccess file
- Combine basic auth and redirect in .htaccess?
- How do I combine basic authentication and https?
- HTTPS and BASIC authentication