Project

General

Profile

[Solved] Redirect does not work without authentication

Added by Witas 2 months ago

Hello,

we updated lighttpd from 1.4.58 to 1.4.67. We have two options how to authenticate. First option is authentication with Digest - default authentication option. The second option which can be enabled is authentication via client certificate - this option disables first authentication option. When we enable second option we force to redirect from http to https. Before we updated lighttpd, page was redirected to https and then client certificate dialog from browser was shown. With new version the redirect does not work (we receive Unauthorized page using http address immediately) until we do login - after login with credentials, page is redirected. Was anything changed in current release? Can we fix this issue to redirect first and then authenticate?

I found that redirect command changed from version 1.4.50 on your website I tested it, it still requires authentication first.
url.redirect = ("" => "https://${url.authority}${url.path}${qsa}")

var.redirectCondition="(.*)" 
url.redirect-code = 308

$SERVER["socket"] == ":80" {

    $HTTP["scheme"] == "http" {

        # Either central host name or IP address match
        $HTTP["host"] =~ var.redirectCondition + "$" {
            # %0 - host name
            # $0 - directory, if any (/files etc.)
            url.redirect = (".*" => "https://%0$0")
        }
    }
}

$SERVER["socket"] == ":443" {
    auth.extern-authn = "enable" 
    #Used for external configuration, see https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL
    ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN" 
    ssl.engine  = "enable" 
    ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")
    ssl.honor-cipher-order = "enable" 
    ssl.pemfile = "our.pem" 
    server.document-root = "/pathSomewhere" 
    ssl.verifyclient.ca-file = "ca.pem" 
    ssl.dh-file = "dhparam-2048.pem" 
    ssl.verifyclient.activate = "enable" 
    ssl.verifyclient.enforce = "enable" 
    magnet.attract-raw-url-to = ( "script.lua" , "script-2.lua")
}

We change authentication methods and realms in accordance authentication settings

# First login option
#var.authMethod="digest" 
#var.realmLogin="Realm" 
# Second login option
var.authMethod="extern" 
var.realmLogin="certificate" 

$HTTP["url"] !~ exceptPages {
  auth.require = (  
    "/" =>
    (
      "method" => var.authMethod,
      "realm"  => var.realmLogin,
      "require" => "user=user" 
    )
  )
}


Replies (3)

RE: Redirect does not work without authentication - Added by gstrauss 2 months ago

If you want everything to redirect to https, then do not enable auth for http. Then, redirect all http to https, without requiring auth.

    $HTTP["scheme"] == "http" {
        url.redirect = ("" => "https://${url.authority}${url.path}${qsa}")
        auth.require = ()
    }

The above would have to be towards the end of your config, or after other conditions which set auth.require. The last matching condition which sets auth.require is the one that takes effect for the request.

An alternative -- (!!!) which may or may not be appropriate for your site (!!!) -- is to list "mod_redirect" before "mod_auth" in server.modules

RE: Redirect does not work without authentication - Added by Witas 2 months ago

Redirect works now when I've added condition to end of lighttpd config. Thank you. By the way I have got mod_redirect above mod_auth all the time.


server.modules = (
  "mod_expire",
  "mod_rewrite",
  "mod_redirect",
  "mod_access",
  "mod_magnet",
  "mod_authn_file",
  "mod_auth",
  "mod_setenv",
  "mod_cgi",
  "mod_accesslog",
  "mod_wstunnel",
  "mod_proxy",
  "mod_openssl" 
)

You described position of loaded server modules and you also mentioned that it does not effect here:
https://redmine.lighttpd.net/boards/2/topics/8372?r=8375#message-8375

RE: Redirect does not work without authentication - Added by gstrauss 2 months ago

You described position of loaded server modules and you also mentioned that it does not effect here:
https://redmine.lighttpd.net/boards/2/topics/8372?r=8375#message-8375

mod_redirect is different from mod_rewrite

The interactions between modules is something specific to your config, but you did not share a complete config here, so others (including me) can not see that. The 'else' syntax in lighttpd.conf is useful for isolating specific config scenarios, e.g. $HTTP["scheme"] == "http" { ... } else { ... }

In any case, I am glad that you have a working solution.

    (1-3/3)