Any htaccess rewrite examples should always begin with
Options +FollowSymLinks
RewriteEngine On
RewriteBase /
Fixing double-login problem and making sure authorization usernames/passwords are not sent in cleartext unencrypted.
Additional https/ssl information
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "google.com"
ErrorDocument 403 https://google.com
This code is really, really nice because it fixes multiple issues with almost every other SSL redirect technique in htaccess files. (I discovered this one on my own)
The problem with most techniques is REWRITING the URL.. so if you check the request to see if its being sent on port 443… guess what? in the interim it got sent! Most of the times the double login prompt error happens because users type in http://secureurl.com instead of https://secureurl.com. Most modern browsers automatically request the /favicon.ico file from the resource. In this case the resource is http instead of https like it should be.
Now with some of the other techniques below you can solve this problem, but you will still face a potential ssl security issue. What if a user types in https://secureurl.com:80 There are a lot of these types of weird ways to bypass security so I recommend using the SSLRequireSSL option always.
This will check to make sure that the connection IS using SSL, or it will fail. This works regardless of if your serving SSL on port 443, 80, 81, etc. This is the most secure setting for SSL logins.
This also fixes having to type in the username and password twice by requiring the HTTP_HOST to match the HTTP_HOST that your SSL certificate is set-up for, in the case above, the SSL is for https://google.com not https://www.google.com
If any of the required conditions are not met the server returns a 403 Forbidden Status Code (before mod_rewrite starts) and the ErrorDocument directive catches the 403 to send the visitor a Redirect to https://google.com
Rewrite non-https requests to https without mod_ssl!
Depending upon the HTTPS variable
The HTTPS variable is always present, even if mod_ssl isn’t loaded!
RewriteCond %{HTTPS} !=on
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
Based upon the SERVER_PORT
The SERVER_PORT variable is always present, and generally SSL runs on certain ports like 443.
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
Redirect everything served on port 80 to SSL
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
Redirect particular URLs to a secure version in an SSL SEO method
RewriteRule ^/normal/secure(/.*) https://%{HTTP_HOST}$1 [R=301,L]
Check to see whether the HTTPS environment variable is set
RewriteCond %{HTTPS} !=on
RewriteRule ^(/secure/.*) https://%{HTTP_HOST}$1 [R=301,L]
Use the Redirect directive to cause a URL to be served as HTTPS
Article: Redirect
302 (temp) Redirect
Redirect / https://google.com/
SEO friendly 301 (permanent) redirect
Redirect 301 / https://google.com/
Changing to SSL or NON-SSL using relative URLs
This lets you use hyperlinks of the form
/document.html:SSL -- https://google.com/document.html
/document.html:NOSSL -- http://google.com/document.html
RewriteRule ^/(.*):SSL$ https://%{SERVER_NAME}/$1 [R,L]
RewriteRule ^/(.*):NOSSL$ http://%{SERVER_NAME}/$1 [R,L]
Custom Log Formats
When mod_ssl is built into Apache or at least loaded (under DSO situation) additional functions exist for the Custom Log Format of mod_log_config. First there is an additional %{varname} extension format function which can be used to expand any variables provided by any module, especially those provided by mod_ssl which can you find in the above table.
For backward compatibility there is additionally a special %{name} cryptography format function provided. Information about this function is provided in the Compatibility chapter.
CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"
SSLEngine Directive
- Description : SSL Engine Operation Switch
- Syntax : SSLEngine on|off
- Default : SSLEngine off
- server config, virtual host
This directive toggles the usage of the SSL/TLS Protocol Engine. This is usually used inside a section to enable SSL/TLS for a particular virtual host. By default the SSL/TLS Protocol Engine is disabled for both the main server and all configured virtual hosts.
SSLEngine Example
SSLEngine on
SSLOptions Directive
- Description : Configure various SSL engine run-time options
- Syntax : SSLOptions [+|-]option …
- server config, virtual host, directory, .htaccess
This directive can be used to control various run-time options on a per-directory basis. Normally, if multiple SSLOptions could apply to a directory, then the most specific one is taken completely; the options are not merged. However if all the options on the SSLOptions directive are preceded by a plus (+) or minus (-) symbol, the options are merged. Any options preceded by a + are added to the options currently in force, and any options preceded by a – are removed from the options currently in force.
Available options
- StdEnvVars When this option is enabled, the standard set of SSL related CGI/SSI environment variables are created. This per default is disabled for performance reasons, because the information extraction step is a rather expensive operation. So one usually enables this option for CGI and SSI requests only.
- CompatEnvVars When this option is enabled, additional CGI/SSI environment variables are created for backward compatibility to other Apache SSL solutions. Look in the Compatibility chapter for details on the particular variables generated.
- ExportCertData When this option is enabled, additional CGI/SSI environment variables are created: SSL_SERVER_CERT, SSL_CLIENT_CERT and SSL_CLIENT_CERT_CHAINn (with n = 0,1,2,..). These contain the PEM-encoded X.509 Certificates of server and client for the current HTTPS connection and can be used by CGI scripts for deeper Certificate checking. Additionally all other certificates of the client certificate chain are provided, too. This bloats up the environment a little bit which is why you have to use this option to enable it on demand.
- FakeBasicAuth When this option is enabled, the Subject Distinguished Name (DN) of the Client X509 Certificate is translated into a HTTP Basic Authorization username. This means that the standard Apache authentication methods can be used for access control. The user name is just the Subject of the Client’s X509 Certificate (can be determined by running OpenSSL’s openssl x509 command: openssl x509 -noout -subject -in certificate.crt). Note that no password is obtained from the user. Every entry in the user file needs this password:
xxj31ZMTZzkVA, which is the DES-encrypted version of the word password”. Those who live under MD5-based encryption (for instance under FreeBSD or BSD/OS, etc.) should use the following MD5 hash of the same word: $1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/.
- StrictRequire This forces forbidden access when SSLRequireSSL or SSLRequire successfully decided that access should be forbidden. Usually the default is that in the case where a
Satisfy any directive is used, and other access restrictions are passed, denial of access due to SSLRequireSSL or SSLRequire is overridden (because that’s how the Apache Satisfy mechanism should work.) But for strict access restriction you can use SSLRequireSSL and/or SSLRequire in combination with an SSLOptions +StrictRequire. Then an additional Satisfy Any has no chance once mod_ssl has decided to deny access.
- OptRenegotiate This enables optimized SSL connection renegotiation handling when SSL directives are used in per-directory context. By default a strict scheme is enabled where every per-directory reconfiguration of SSL parameters causes a full SSL renegotiation handshake. When this option is used mod_ssl tries to avoid unnecessary handshakes by doing more granular (but still safe) parameter checks. Nevertheless these granular checks sometimes maybe not what the user expects, so enable this on a per-directory basis only, please.
SSLOptions Example
SSLOptions +FakeBasicAuth -StrictRequire +StdEnvVars +CompatEnvVars -ExportCertData
SSLRequire Directive
- Description : Allow access only when an arbitrarily complex boolean expression is true
- Syntax : SSLRequire expression
- directory, .htaccess
This directive specifies a general access requirement which has to be fulfilled in order to allow access. It’s a very powerful directive because the requirement specification is an arbitrarily complex boolean expression containing any number of access checks.
This function takes one string argument and expands to the contents of the file. This is especially useful for matching this contents against a regular expression, etc. Notice that expression is first parsed into an internal machine representation and then evaluated in a second step. Actually, in Global and Per-Server Class context expression is parsed at startup time and at runtime only the machine representation is executed. For Per-Directory context this is different: here expression has to be parsed and immediately executed for every request.
SSLRequire htaccess example
SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/
and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd."
and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}
and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5
and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 )
or %{REMOTE_ADDR} =~ m/^192.76.162.[0-9]+$/
SSLRequireSSL Directive
- Description : Deny access when SSL is not used for the HTTP request
- Syntax : SSLRequireSSL
- directory, .htaccess
This directive forbids access unless HTTP over SSL (i.e. HTTPS) is enabled for the current connection. This is very handy inside the SSL-enabled virtual host or directories for defending against configuration errors that expose stuff that should be protected. When this directive is present all requests are denied which are not using SSL. Example SSLRequireSSL
SSLUserName Directive
- Description : Variable name to determine user name
- Syntax : SSLUserName varname
- server config, directory, .htaccess
This directive sets the “user” field in the Apache request object. This is used by lower modules to identify the user with a character string. In particular, this may cause the environment variable REMOTE_USER to be set. The varname can be any of the SSL environment variables.
SSLUserName usage example
SSLUserName SSL_CLIENT_S_DN_CN
SSLVerifyClient Directive
- Description : Type of Client Certificate verification
- Syntax : SSLVerifyClient level
- Default : SSLVerifyClient none
- server config, virtual host, directory, .htaccess
This directive sets the Certificate verification level for the Client Authentication. Notice that this directive can be used both in per-server and per-directory context. In per-server context it applies to the client authentication process used in the standard SSL handshake when a connection is established. In per-directory context it forces a SSL renegotation with the reconfigured client verification level after the HTTP request was read but before the HTTP response is sent.
The following levels are available for level:
- none : no client Certificate is required at all
- optional : the client may present a valid Certificate
- require : the client has to present a valid Certificate
- optional_no_ca : the client may present a valid Certificate but it need not to be (successfully) verifiable.
In practice only levels none and require are really interesting, because level optional doesn’t work with all browsers and level optional_no_ca is actually against the idea of authentication (but can be used to establish SSL test pages, etc.)
SSLVerifyClient example
SSLVerifyClient require
SSLVerifyDepth Directive
- Description : Maximum depth of CA Certificates in Client Certificate verification
- Syntax : SSLVerifyDepth number
- Default : SSLVerifyDepth 1
- server config, virtual host, directory, .htaccess
This directive sets how deeply mod_ssl should verify before deciding that the clients don’t have a valid certificate. Notice that this directive can be used both in per-server and per-directory context. In per-server context it applies to the client authentication process used in the standard SSL handshake when a connection is established. In per-directory context it forces a SSL renegotation with the reconfigured client verification depth after the HTTP request was read but before the HTTP response is sent. The depth actually is the maximum number of intermediate certificate issuers, i.e. the number of CA certificates which are max allowed to be followed while verifying the client certificate. A depth of 0 means that self-signed client certificates are accepted only, the default depth of 1 means the client certificate can be self-signed or has to be signed by a CA which is directly known to the server (i.e. the CA’s certificate is under SSLCACertificatePath), etc.
SSLVerifyDepth example
SSLVerifyDepth 10
SSLCipherSuite Directive
- Description: Cipher Suite available for negotiation in SSL handshake
- Syntax : SSLCipherSuite cipher-spec
- Default : SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
- server config, virtual host, directory, .htaccess
- Override: AuthConfig
- Status: Extension
This complex directive uses a colon-separated cipher-spec string consisting of OpenSSL cipher specifications to configure the Cipher Suite the client is permitted to negotiate in the SSL handshake phase. Notice that this directive can be used both in per-server and per-directory context. In per-server context it applies to the standard SSL handshake when a connection is established. In per-directory context it forces a SSL renegotation with the reconfigured Cipher Suite after the HTTP request was read but before the HTTP response is sent.
Algorithms
An SSL cipher specification in cipher-spec is composed of 4 major attributes plus a few extra minor ones
- Key Exchange Algorithm: RSA or Diffie-Hellman variants.
- Authentication Algorithm: RSA, Diffie-Hellman, DSS or none.
- Cipher/Encryption Algorithm: DES, Triple-DES, RC4, RC2, IDEA or none.
- MAC Digest Algorithm: MD5, SHA or SHA1.
An SSL cipher can also be an export cipher and is either a SSLv2 or SSLv3/TLSv1 cipher (here TLSv1 is equivalent to SSLv3). To specify which ciphers to use, one can either specify all the Ciphers, one at a time, or use aliases to specify the preference and order for the ciphers.
Key Exchange Algorithm
- kRSA: RSA key exchange
- kDHr: Diffie-Hellman key exchange with RSA key
- kDHd: Diffie-Hellman key exchange with DSA key
- kEDH: Ephemeral (temp.key) Diffie-Hellman key exchange (no cert)
Authentication Algorithm
- aNULL: No authentication
- aRSA: RSA authentication
- aDSS: DSS authentication
- aDH: Diffie-Hellman authentication
Cipher Encoding Algorithm
- eNULL: No encoding
- DES: DES encoding
- 3DES: Triple-DES encoding
- RC4: RC4 encoding
- RC2: RC2 encoding
- IDEA: IDEA encoding
MAC Digest Algorithm
- MD5: MD5 hash function
- SHA1: SHA1 hash function
- SHA: SHA hash function
Aliases
- SSLv2: all SSL version 2.0 ciphers
- SSLv3: all SSL version 3.0 ciphers
- TLSv1: all TLS version 1.0 ciphers
- EXP: all export ciphers
- EXPORT40: all 40-bit export ciphers only
- EXPORT56: all 56-bit export ciphers only
- LOW: all low strength ciphers (no export, single DES)
- MEDIUM: all ciphers with 128 bit encryption
- HIGH: all ciphers using Triple-DES
- RSA: all ciphers using RSA key exchange
- DH: all ciphers using Diffie-Hellman key exchange
- EDH: all ciphers using Ephemeral Diffie-Hellman key exchange
- ADH: all ciphers using Anonymous Diffie-Hellman key exchange
- DSS: all ciphers using DSS authentication
- NULL: all ciphers using no encryption
Now where this becomes interesting is that these can be put together to specify the order and ciphers you wish to use. To speed this up there are also aliases (SSLv2, SSLv3, TLSv1, EXP, LOW, MEDIUM, HIGH) for certain groups of ciphers. These tags can be joined together with prefixes to form the cipher-spec.
Available prefixes are
- none: add cipher to list
- +: add ciphers to list and pull them to current location in list
- -: remove cipher from list (can be added later again)
- !: kill cipher from list completely (can not be added later again)
A simpler way to look at all of this is to use the openssl ciphers -v command which provides a nice way to successively create the correct cipher-spec string. The default cipher-spec string is ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP which means the following: first, remove from consideration any ciphers that do not authenticate, i.e. for SSL only the Anonymous Diffie-Hellman ciphers.
Next, use ciphers using RC4 and RSA. Next include the high, medium and then the low security ciphers.
Finally pull all SSLv2 and export ciphers to the end of the list.
$ openssl ciphers -v 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP'
NULL-SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1
NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
SSLCipherSuite Example
SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW
mod_ssl Directives External Information
- SSLPassPhraseDialog
- SSLMutex
- SSLRandomSeed
- SSLSessionCache
- SSLSessionCacheTimeout
- SSLEngine
- SSLProtocol
- SSLCipherSuite
- SSLCertificateFile
- SSLCertificateKeyFile
- SSLCertificateChainFile
- SSLCACertificatePath
- SSLCACertificateFile
- SSLCARevocationPath
- SSLCARevocationFile
- SSLVerifyClient
- SSLVerifyDepth
- SSLLog
- SSLLogLevel
- SSLOptions
- SSLRequireSSL
- SSLRequire
- Additional Features
- Environment Variables
- Custom Log Formats
Variables
SSL Related Variables
- HTTPS HTTPS is being used.
- SSL_PROTOCOL The SSL protocol version (SSLv2, SSLv3, TLSv1)
- SSL_SESSION_ID The hex-encoded SSL session id
- SSL_CIPHER The cipher specification name
- SSL_CIPHER_EXPORT true if cipher is an export cipher
- SSL_CIPHER_USEKEYSIZE Number of cipher bits (actually used)
- SSL_CIPHER_ALGKEYSIZE Number of cipher bits (possible)
- SSL_VERSION_INTERFACE The mod_ssl program version
- SSL_VERSION_LIBRARY The OpenSSL program version
- SSL_CLIENT_M_VERSION The version of the client certificate
- SSL_CLIENT_M_SERIAL The serial of the client certificate
- SSL_CLIENT_S_DN Subject DN in client’s certificate
- SSL_CLIENT_S_DN_x509 Component of client’s Subject DN
- SSL_CLIENT_I_DN Issuer DN of client’s certificate
- SSL_CLIENT_I_DN_x509 Component of client’s Issuer DN
- SSL_CLIENT_V_START Validity of client’s certificate (start time)
- SSL_CLIENT_V_END Validity of client’s certificate (end time)
- SSL_CLIENT_A_SIG Algorithm used for the signature of client’s certificate
- SSL_CLIENT_A_KEY Algorithm used for the public key of client’s certificate
- SSL_CLIENT_CERT PEM-encoded client certificate
- SSL_CLIENT_CERT_CHAINn PEM-encoded certificates in client certificate chain
- SSL_CLIENT_VERIFY NONE, SUCCESS, GENEROUS or FAILED:reason
- SSL_SERVER_M_VERSION The version of the server certificate
- SSL_SERVER_M_SERIAL The serial of the server certificate
- SSL_SERVER_S_DN Subject DN in server’s certificate
- SSL_SERVER_S_DN_x509 Component of server’s Subject DN
- SSL_SERVER_I_DN Issuer DN of server’s certificate
- SSL_SERVER_I_DN_x509 Component of server’s Issuer DN
- SSL_SERVER_V_START Validity of server’s certificate (start time)
- SSL_SERVER_V_END Validity of server’s certificate (end time)
- SSL_SERVER_A_SIG Algorithm used for the signature of server’s certificate
- SSL_SERVER_A_KEY Algorithm used for the public key of server’s certificate
- SSL_SERVER_CERT PEM-encoded server certificate
Standard CGI/1.0 and Apache variables:
HTTP_USER_AGENT PATH_INFO AUTH_TYPE
HTTP_REFERER QUERY_STRING SERVER_SOFTWARE
HTTP_COOKIE REMOTE_HOST API_VERSION
HTTP_FORWARDED REMOTE_IDENT TIME_YEAR
HTTP_HOST IS_SUBREQ TIME_MON
HTTP_PROXY_CONNECTION DOCUMENT_ROOT TIME_DAY
HTTP_ACCEPT SERVER_ADMIN TIME_HOUR
HTTP:headername SERVER_NAME TIME_MIN
THE_REQUEST SERVER_PORT TIME_SEC
REQUEST_METHOD SERVER_PROTOCOL TIME_WDAY
REQUEST_SCHEME REMOTE_ADDR TIME
REQUEST_URI REMOTE_USER ENV:variablename REQUEST_FILENAME
SSL-related variables:
HTTPS SSL_CLIENT_M_VERSION SSL_SERVER_M_VERSION
SSL_CLIENT_M_SERIAL SSL_SERVER_M_SERIAL
SSL_PROTOCOL SSL_CLIENT_V_START SSL_SERVER_V_START
SSL_SESSION_ID SSL_CLIENT_V_END SSL_SERVER_V_END
SSL_CIPHER SSL_CLIENT_S_DN SSL_SERVER_S_DN
SSL_CIPHER_EXPORT SSL_CLIENT_S_DN_C SSL_SERVER_S_DN_C
SSL_CIPHER_ALGKEYSIZE SSL_CLIENT_S_DN_ST SSL_SERVER_S_DN_ST
SSL_CIPHER_USEKEYSIZE SSL_CLIENT_S_DN_L SSL_SERVER_S_DN_L
SSL_VERSION_LIBRARY SSL_CLIENT_S_DN_O SSL_SERVER_S_DN_O
SSL_VERSION_INTERFACE SSL_CLIENT_S_DN_OU SSL_SERVER_S_DN_OU
SSL_CLIENT_S_DN_CN SSL_SERVER_S_DN_CN
SSL_CLIENT_S_DN_T SSL_SERVER_S_DN_T
SSL_CLIENT_S_DN_I SSL_SERVER_S_DN_I
SSL_CLIENT_S_DN_G SSL_SERVER_S_DN_G
SSL_CLIENT_S_DN_S SSL_SERVER_S_DN_S
SSL_CLIENT_S_DN_D SSL_SERVER_S_DN_D
SSL_CLIENT_S_DN_UID SSL_SERVER_S_DN_UID
SSL_CLIENT_S_DN_Email SSL_SERVER_S_DN_Email
SSL_CLIENT_I_DN SSL_SERVER_I_DN
SSL_CLIENT_I_DN_C SSL_SERVER_I_DN_C
SSL_CLIENT_I_DN_ST SSL_SERVER_I_DN_ST
SSL_CLIENT_I_DN_L SSL_SERVER_I_DN_L
SSL_CLIENT_I_DN_O SSL_SERVER_I_DN_O
SSL_CLIENT_I_DN_OU SSL_SERVER_I_DN_OU
SSL_CLIENT_I_DN_CN SSL_SERVER_I_DN_CN
SSL_CLIENT_I_DN_T SSL_SERVER_I_DN_T
SSL_CLIENT_I_DN_I SSL_SERVER_I_DN_I
SSL_CLIENT_I_DN_G SSL_SERVER_I_DN_G
SSL_CLIENT_I_DN_S SSL_SERVER_I_DN_S
SSL_CLIENT_I_DN_D SSL_SERVER_I_DN_D
SSL_CLIENT_I_DN_UID SSL_SERVER_I_DN_UID
SSL_CLIENT_I_DN_Email SSL_SERVER_I_DN_Email
SSL_CLIENT_A_SIG SSL_SERVER_A_SIG
SSL_CLIENT_A_KEY SSL_SERVER_A_KEY
SSL_CLIENT_CERT SSL_SERVER_CERT
http://www.askapache.com/htaccess/apache-ssl-in-htaccess-examples.html
SSL_CLIENT_CERT_CHAINn SSL_CLIENT_VERIFY
