[Wiltshire] Apache Authentication Help

Andrew Meredith andrew at anvil.org
Fri Feb 22 18:13:37 GMT 2008

Robert Longbottom wrote:
> Brilliant!  Thanks - I had no idea it would be so simple and I couldn't
> think what to google for.  I wish I'd looked into it sooner now!

You might want to think about switching the authenticated areas onto an 
https site and authenticating the whole site. The problem being that 
your username/password pair is sent, unencrypted, with ever call to the 
http:// site .. every page, frame and image. If you don't feel the issue 
:) you might like to run tethereal or some such on the interface while 
grabbing a page off the web server with authentication and watch your 
password floating past. Now think Internet Cafe, or overkeen admin on 
the work network.

Depending on your distro, you will find the relevant file in 
/etc/https/config.d/ssl.conf or similar. The same auth stuff you mention 
applies there along with some lines for the certificate. You can self 
sign the cert or sign up with a free CA like cacert.org. Once set up it 
works in exactly the same way as the unencrypted variant, but is 
considerably more difficult to grab the passwords.

Hope this helps

Andy M


          Andrew Meredith BEng CEng CITP MBCS MIET
                 The Anvil Organisation Ltd.
          andrew at anvil.org      +44 (0) 1249 460560
     Open Source Systems Mentoring for Small Businesses

More information about the Wiltshire mailing list