Talk In Code

To redirect from HTTPS to HTTP on the home page only using the following rule.

RewriteCond %{HTTPS} on
RewriteRule ^/?$ http://%{SERVER_NAME}/ [R=301,L]

The variable %{HTTPS} will be either "on" or "off" and will be enabled even if SSL is not installed on your site. The rule above sees that HTTPS is on and redirects the home page to the HTTP version. You can even chain lots of rules together like this.

RewriteCond %{HTTPS} on
RewriteRule ^/?$ http://%{SERVER_NAME}/ [R=301]
RewriteRule ^inner/directory/?$ http://%{SERVER_NAME}/inner/directory/ [R=301,L]


Note that you should end your last rule with L so that no other rules on the page are run. Also, you need to make absolutely sure that you are not redirecting any pages that are integral to the security of your shopping cart as this will turn off HTTPS for those pages.

You can also do the same thing using the ${SERVER_PORT} variable.

RewriteCond %{SERVER_PORT} 443
RewriteRule ^/?$ http://%{SERVER_NAME}/ [R=301,L]

The port for HTTPS is 443 so if the port being communicated through is 443 we need to redirect.

I have talked about generating random passwords before. Although that function generated some nice passwords, they perhaps aren’t as unique as they ought to be.

This function, take from Webtoolkit creates passwords of different length with varying levels of complexity.

function generatePassword($length=9, $strength=0) {
  $vowels = 'aeiu';
  $consonants = 'bdghjmnpqrstvxyz';
  if ( $strength & 1 ) {
    $consonants .= 'BDGHJLMNPQRSTVWXYZ';
  }
  if ( $strength & 2 ) {
    $vowels .= 'AEU';
  }
  if ( $strength & 4 ) {
    $consonants .= '23456789';
  }
  if ( $strength & 8 ) {
    $consonants .= '@#$%';
  }
 
  $password = '';
  $alt = time() % 2;
  for ($i = 0; $i < $length; $i++) {
    if ($alt == 1) {
      $password .= $consonants[(rand() % strlen($consonants))];
      $alt = 0;
    } else {
      $password .= $vowels[(rand() % strlen($vowels))];
      $alt = 1;
    }
  }
  return $password;
}

The first parameter is the number of characters that the function should return. The second parameter is a number up to 8 which converts into complexity. The least complex password consists of only lower case consonants. The most complex password consists of upper and lower case letters,

You might notice that some of the letters and numbers are missing, this is deliberate. When passwords are generated many of the characters can be very similar. Zero can look like an upper case O and I can look like the number one or a lower case L. Removing these letters stops people getting their passwords wrong and having to reapply for them in the future. Also, many people write down their passwords, even though you shouldn’t, and in doing this many characters can also look the same. For example, in a mix of upper and lowercase letters it is difficult to see the difference between an upper and lower case W.

You can run the function like this.

echo generatePassword(8,1); // LareSuSy
echo generatePassword(8,2); // hUsuserU
echo generatePassword(8,3); // MEdEgYze
echo generatePassword(8,4); // tanapa3a
echo generatePassword(8,5); // ary2ugeR
echo generatePassword(8,6); // uqUtebyq
echo generatePassword(8,7); // yRysuNEV
echo generatePassword(8,8); // ygyqyha%

This is just the output that I got from these parameters, a different password is run each time. You should be using level 8 for any system administrator passwords.

Using a simple .htpasswd to password protect a directory or website is fine if you only have a few users, and they don’t change very much. However, this quickly becomes impossible to maintain if you have lots of users. For example, if you wanted to secure access to the company Intranet you might spend quite some time trying to update your .htpasswd file. The best way to do this is to transfer all of the user administration over to an LDAP server and then get Apache to communicate with this directly. The Active Directory (AD) system that Microsoft uses allows LDAP communications, and as this is in use across many company networks it is an ideal candidate to use.

You first need to set of the LDAP modules on your Apache server. Uncomment or add the following lines in your http.conf file. You will need to make sure that the files actually exist as well.

LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so

Also make sure that the are put before the following line.
LoadModule auth_basic_module modules/mod_auth_basic.so

Restart Apache to load the modules into the system.

What you need to do now is figure out how to get to your user information within AD. If you are using Windows XP you can download the Windows support tools from the Microsoft website for free. This contains a program called ldp.exe. You can use this program to figure out the object hierarchy leading to your user’s information. So if your company Intranet is called company.local then you might see the correct information at company.local->MyBusiness->Users.

The next step is to set up a user so that Apache can access the AD. Just create a default user with virtually no access, it just needs to be able to access the user system.

Next you need to open your httpd.conf and put in the following lines right after the module declarations.

<Location />
 # LDAP authentication...
 AuthType Basic
 AuthName "Talk In Code Secure"
 AuthBasicProvider ldap
 AuthzLDAPAuthoritative On
 
 AuthLDAPBindDN CN=localuser,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=talkincode,DC=local
 AuthLDAPBindPassword localuserpassword
 
 AuthLDAPURL ldap://server.talkincode.local:389/OU=Users,OU=MyBusiness,DC=talkincode,DC=local?sAMAccountName?sub?(objectClass=*)
 
 Require valid-user
 
</Location>

Restart your server and try to access it; you should be presented with a login screen.

If you can’t access Apache then open up the file error.log and take a look at the last line. It will give you a good idea of what is going wrong.

If the username you entered is correct but your password is wrong then you will see the following line:
[Tue Dec 18 08:58:00 2007] [warn] [client 10.0.0.1] [1] auth_ldap authenticate: user theusername authentication failed; URI / [ldap_simple_bind_s() to check user credentials failed][Invalid Credentials]
[Tue Dec 18 08:58:00 2007] [error] [client 10.0.0.1] user theusername: authentication failure for "/": Password Mismatch

If your username is incorrect then you will see the following line.
[Tue Dec 18 09:06:13 2007] [warn] [client 10.0.0.1] [1] auth_ldap authenticate: user a_non_valid_username authentication failed; URI / [User not found][No Such Object]
[Tue Dec 18 09:05:02 2007] [error] [client 10.0.0.1] user a_non_valid_username not found: /

I have found that when you can’t get this module to work it is usually because you can’t access the LDAP server. If you are getting login prompts but can’t get it to understand the correct user information then try having a look at the LDAP server firewall.