[Wiltshire] Apache Authentication Help
andrew at anvil.org
Fri Feb 22 18:13:37 GMT 2008
Robert Longbottom wrote:
> Brilliant! Thanks - I had no idea it would be so simple and I couldn't
> think what to google for. I wish I'd looked into it sooner now!
You might want to think about switching the authenticated areas onto an
https site and authenticating the whole site. The problem being that
your username/password pair is sent, unencrypted, with ever call to the
http:// site .. every page, frame and image. If you don't feel the issue
:) you might like to run tethereal or some such on the interface while
grabbing a page off the web server with authentication and watch your
password floating past. Now think Internet Cafe, or overkeen admin on
the work network.
Depending on your distro, you will find the relevant file in
/etc/https/config.d/ssl.conf or similar. The same auth stuff you mention
applies there along with some lines for the certificate. You can self
sign the cert or sign up with a free CA like cacert.org. Once set up it
works in exactly the same way as the unencrypted variant, but is
considerably more difficult to grab the passwords.
Hope this helps
Andrew Meredith BEng CEng CITP MBCS MIET
The Anvil Organisation Ltd.
andrew at anvil.org +44 (0) 1249 460560
Open Source Systems Mentoring for Small Businesses
More information about the Wiltshire