Our intranet use mod_ldap to authenticate users to our internal Active Directory server as follows:
<Location /***/>
AuthType Basic
AuthName "***"
AuthBasicProvider ldap
AuthLDAPUrl "***"
require valid-user
</Location>
We want to allow our users to hit our site over the internet, but unfortunately Basic authentication is done in plain-text, which would expose our AD credentials on the net.
I realize that I could protect the entire site with ssl, but the only thing I'm really concerned about are the credentials themselves.
What is the best way to protect my AD credentials without using https:// for the entire site?
Note: I've tried substituting "Digest" for "Basic", but that doesn't work.
-
Use a rewrite rule to direct all authenticated pages to https:. This will happen before the authentication request happens. Also require ssl for all authenticated pages.
EDIT: You can use rewrite rules to force http: requests to https: requests. This happens for all requests that match the pattern you are matching on. This would normally happen before the page requiring authentication happens. This can be be inside a location or directory definition. The rest of the site will be on http, unless accessed using https. Rewrite conditions are quite flexible as th what is matched, and what it gets rewriten to.
# Force clients from the Internet to use HTTPS RewriteEngine on RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$ RewriteCond %{HTTPS} !=on RewriteRule .* - [F]On the security side you require ssl. Like password authentication this would happen before access to the page. Be sure to use satisfy all on your security rules. Add
SSLRequireSSLto the conditions for the authenticated areas.Further details are covered by the Apache SSL HowTo.
Brent : If I'm understanding you correctly, since the user must authenticate before viewing ANY of the site, this is the equivalent of redirecting the entire site to https:// Correct? Or is there a way to redirect to https:// only if the user hasn't yet authenticated?BillThor : See edits. You can match URLS. Once they have been switch to HTTPS. they will stay there unless redirected back to HTTP. You can reverse the rewrite rules for unsecured areas. (Don't rewrite shared resourse areas like css and graphics.) With basic authentication, the credential are passed on subsequent requests to that URL.Brent : +1 for pointing out that credentials are passed on subsequent requests. I had forgotten about that. This therefore necessitates that the entire site be secured.From BillThor -
You will never be able to use digest authentication with LDAP because digest auth obscures (via MD5) the password so it cannot be compared with the ldap password.
You can solve this problem by using cookies rather than basic auth. See, e.g., pubcookie http://www.pubcookie.org/ or Apache2::AuthCookie http://search.cpan.org/~mschout/Apache-AuthCookie-3.15/lib/Apache2/AuthCookie.pm
Really, though, what is the problem with using SSL everywhere? You're wasting effort to remove security.
From embobo
0 comments:
Post a Comment