Apache directive for authenticated users


Using Apache 2.2, I would like to use mod_rewrite to redirect un-authenticated users to use https, if they are on http.. Is there a directive or condition one can test for whether a user is (not) authenticated?

For example, I could have set up the restricted /foo location on my server:-

<Location "/foo/">
    Order deny,allow
    # Deny everyone, until authenticated...
    Deny from all

    # Authentication mechanism
    AuthType Basic
    AuthName "Members only"
    # AuthBasicProvider ...
    # ... Other authentication stuff here.

    # Users must be valid.
    Require valid-user
    # Logged-in users authorised to view child URLs:
    Satisfy any

    # If not SSL, respond with HTTP-redirect
    RewriteCond ${HTTPS} off
    RewriteRule /foo/?(.*)$ https://${SERVER_NAME}/foo/$2 [R=301,L]

    # SSL enforcement.
    SSLOptions FakeBasicAuth StrictRequire
    SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128

The problem here is that every file, in every subfolder, will be encrypted. This is quite unnecessary, but I see no reason to disallow it. What I would like is the RewriteRule to only be triggered during authentication. If a user is already authorised to view a folder, then I don't want the RewriteRule to be triggered. Is this possible?


I am not using any front-end HTML here. This is only using Apache's built-in directory browsing interface and its in-built authentication mechanisms. My <Directory> config is:

<Directory ~ "/foo/">
     Order allow,deny
     Allow from all
     AllowOverride None
     Options +Indexes +FollowSymLinks +Includes +MultiViews
     IndexOptions +FancyIndexing
     IndexOptions +XHTML
     IndexOptions NameWidth=*
     IndexOptions +TrackModified
     IndexOptions +SuppressHTMLPreamble
     IndexOptions +FoldersFirst
     IndexOptions +IgnoreCase
     IndexOptions Type=text/html

Best Answer

You seem to be confused how Basic Authentication works. Basic Authentication requires a password lookup for every request e.g. loading a html page with 100 images requires handling of at least 100 authentication requests. Specifically, if SSL/TLS is not used, then the credentials are passed as plaintext and could be intercepted. Enabling https only for a login page makes sense when you use cookie based authentication (e.g. http://finesec.com/sitedefensor.html)