• 15
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

I have an Apache web server hosted on one.com. The OpenSSL module is active and working. I can manipulate .htaccess and I see the reactions. I want to rely on SSL, and redirection by rewriting works fine. Also, I need user authentication. It works fine with AuthType Basic. There is just one downside: When a user requests http://sub.example.com/non-existent-file (without SSL, of course with my real domain name), they will see a log-in prompt without SSL. Of course, I want to prohibit sending passwords unencrypted. I read, the simplest solution would be to use the SSLRequireSSL directive, but my Apache doesn’t seem to like it. Let me break down the example to reproduce the error. A completely black .htaccess file lets the server provide content on both http and https. If I add only SSLRequireSSL and nothing else into .htaccess, I get an HTTP 500 internal server error.

.htaccess

SSLRequireSSL

? 500 internal server error

Why is that and how should I use SSLRequireSSL instead?

My complete .htaccess file without SSLRequireSSL:

<IfModule mod_rewrite.c>

    RewriteEngine on
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=307]
    Redirect 307 /index.php /pages/welcome.php

</IfModule>

<IfModule mod_authn_file.c>

    AuthName "Get username and password from admin."
    AuthType Basic
    <if "%{REMOTE_ADDR} -ipmatch '192.168.0.0/24'">
        AuthUserFile /home/user/www/sub.example.com/html/.htpasswd
    </if>
    <else>
        AuthUserFile /customers/1/a/0/example.com/httpd.www/sub/.htpasswd
    </else>
    Require valid-user
    Order deny,allow
    Deny from all
    Allow from 192.168.0.0/24 w3.org googlebot.com
    Satisfy Any

</IfModule>

I could not determine my Apache version. The PHP function apache_get_version() does not exist. php_sapi_name() returns cgi-fcgi. I can access an SSH terminal. There is no command starting with apache… or Apache…. But I suppose Apache is running, because in phpinfo() it tells about a constant $_SERVER['SERVER_SOFTWARE'] set to Apache and $_ENV['SERVER_SOFTWARE'] also set to Apache.

    • Executable may be called httpd. or find out which process is listening on port 80 (lsof -Pn). Apache config decides what you can do in htaccess. TLS has already been decoded since Apache knows which file to serve. I somewhat doubt htaccess is the right place to start authentication.
      • 1
    • Thanks @Gerard. apache*, httpd and lsof commands are not accessible. netstat -anp | grep :80 gave tcp6 0 0 :::80 :::* LISTEN -, so there is no binary name given. netstat -anp | grep apache and netstat -anp | grep httpd: no results. netstat -anp | grep tcp gave empty PID/program name/path details. The host runs Ubuntu, I tried to consult the package manager. apt*, rpm and yum are not accessible. You suggested .htaccess might not be the right place for authentication. Why and what alternative do you suggest?
      • 1
    • It would be the Apache configuration, probably /etc/apache2/apache2.conf or files included, ./mods-enabled/*.conf and ./sites-enabled/*.conf. Inside a .htaccess, you can only do what the configuration has permitted.
      • 2
    • Doesn't phpinfo() show you the apache2handler, with ao. Apache Version Apache/2.4.38 (Debian) ?

This is how I managed it using .htaccess:

RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

<If "%{HTTPS} == 'on'">
    AuthType Basic
    AuthName "Restricted Files"
    AuthBasicProvider file
    AuthUserFile "/var/www/html/secrets/.passwd"
    Require valid-user
</If>
  • 0
Reply Report

Trending Tags