Force apache2 digest auth over SSL

This may seem like a strange reason to be configuring an authenticated and encrypted HTTP connection … but it’s tax season! There’s a story behind this naturally but first a quick overview. Recently I’ve had had to exchange sensitive documents with someone. To do this I had to configure my web server to require digest authentication for all URLs below a certain directory. Further, to protect the data in transit I force traffic to these URLs over SSL. Pretty simple but very useful and worth a quick howto.

The Story

The guy that does my taxes is actually a friend’s dad. He’s an great CPA, a great guy and I completely trust him with my financials. The problem is … well he’s my buddy’s dad and he’s probably in mis mid to later 60’s so he’s not super tech savvy. He’s got email down (unlike my parents) but last year we ran into a problem.

I sent him my all of my tax relevant docs in hard copy as we’ve always done. What I didn’t expect was for him to send all of my tax documents back for me to sign in soft copy. This is great right? He meant well but I really wasn’t thrilled that he sent documents that have my SSN over email and in plain text. I tried to explain to him how to get an email certificate so we could encrypt our email exchanges but, well I think we ran into the technological version of generation gap. Needless to say, we fell back on hard copy last year.

After collecting up all of my soft copy forms for this years taxes I couldn’t bear the thought of having to find a printer to convert them into hard copy. That and I just wanted to get them out the door to my CPA same day. So with the available tools (a web server) I came up with a way to get my docs over to my tax guy with a level of security I’m comfortable with. Here’s how:

apache2 digest auth

There’s a million docs on the web describing how to set up the common auth modules for apache2. Frankly though my search turned up some pretty wild .htaccess files. I just wanted something that I could drop into the directory I wanted to protect and it would work. Here’s the digest auth part:

AuthType Digest
AuthName "taxes"
AuthDigestDomain ./
AuthUserFile /etc/apache2/taxes.digest
Require valid-user

This assumes you’ve got the digest_auth module enabled already (this is distro specific much of the time). Here’s a quick breakdown of the configuration directives. For the best reference see the apache mod_auth_digest docs.

  • AuthName directive specifies the name of the authentication realm. Any user that accesses this directory on the server must have credentials defined in this realm. For my tax documents I’ve named the realm taxes.
  • AuthDigestDomain tells the server which URIs will require authentication. In line with my desire to just have a drop in .htaccess file, I’ve used ./ which is the current directory. All subdirectories will require authentication as well.
  • AuthUserFile is the database file that has all of the user credentials … more on this in a minute
  • Require is how we specify additional constraints on which users can access the domain we’ve defined. I’m using valid-user which simply requires that the user specify credentials belonging to a … you guessed it, a valid user in the taxes realm. There’s a lot you can do with Require so you should read the docs for this one.

For any of this to work we need to specify the users names and their passwords. Apache has a tool that does this for us and it’s called htdigest. Check out the manpage for details but for the above example .htaccess file I used the following comand:

sudo htdigest -c /etc/apache2/taxes.digest taxes username

Force SSL

This is a pretty easy task but the method I came up with to solve it requires using Apache’s mod_rewrite which is basically regex black magic in apache config files. This is very much like driving in a tack nail with a 10lb sledge hammer. You can do some serious damage with mod_rewrite if you’re not sure of what you’re doing. For a simple task like this the solution should be simple and if you use mod_rewrite properly the result is actually very simple

DISCLAIMER: before using mod_rewrite you should read the mod_rewrite docs front to back and be comfortable matching strings with regex patterns (play around with grep on the command line).

RewriteCond %{HTTPS} ^off$
RewriteRule ^.*$ https://%{HTTP_HOST}%{REQUEST_URI}

To protect the directory containing my tax documents I only needed two mod_rewrite directives in my .htaccess:

  • RewriteCond specifies the conditions under which the following rule will be checked. Here I’ve indicated that only URIs that aren’t HTTPS (the HTTPS server variable is set to off)
  • RewriteRule is where all the work is done and I’m using its most simple form. The first string is the regex that is matched against the requested URI. I’ve specified a pure wild card, it will match everything. Since this is an .htaccess file the rule will only be processed for URIs that are under this directory so I want it to match everything. The following string is the replacement text. This ends up being a simple redirect to the same URI that was requested but over SSL (trust me). If you’re skeptical hit the docs.

Conclusion

That’s it, you can get the taxes.htaccess. Nothing really novel here, just a practical use of my web server for exchanging sensitive documents, I thought that was worth a quick post.

Naturally this isn’t a perfect solution but it’s good enough. My tax guy can still screw things up on his end by having maleware on his office computer or he may sell my personal info to the highest bidder but these things are largely out of my control and would be a problem even if I sent him all of my stuff in hard copy. This also doesn’t scale at all but I’ve got only one guy doing my taxes in any one year so that’s a non-issue. Next is figuring out a way to get my completed documents back from him. I’m thinking I’ll have to code up a quick upload script … more to come.

2 thoughts on “Force apache2 digest auth over SSL

  1. I’ll be honest, I’ve been trying to get him to upgrade this situation for a couple years. Though I did always wonder why he started asking me about email certificates last year….

    Like

    1. Well, mystery solved I guess. I figure it’s only worth upgrading something like this if he needs to. If I’m the only client he’s exchanging electronic documents with then it’s really not worth the trouble. The thing to worry about is the possibility of clients who don’t know to ask about these things. There’s a lot of sensitive information bumping around the web over SMTP. Even more sitting mostly unprotected in various mail spools … just ask HBGary 🙂

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s