How to force .htaccess authorization to occur over ssl

.htaccessapache-2.2

I'm trying to force a particular directory to require only allowed IPs and a valid username/password through basic authorization. To ensure that the username/password are sent in encrypted form, I want the directory to also force SSL use. Here is what I have in my .htaccess file:

# Force HTTPS-Connection
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*)  https://www.mywebsite.com%{REQUEST_URI} [R,L]

## password begin ##
AuthName     "Restricted Access"
AuthUserFile /var/www/admin/.htpasswd
AuthType     Basic
Require valid-user
Order deny,allow
Deny from all
Allow from 79.1.231.151 62.123.134.83
Satisfy All

Unfortunately, when I access that directory using http protocol, it is asking for the password before it redirects the page to the secure version. This means the password is sent unencrypted. What am I doing wrong? Is there a way to do this?

Best Answer

Try putting SSLRequireSSL in your .htaccess file or the global Apache httpd configuration.

Related Solutions

Centos – WebDAV on CentOS – getting 403 error when attempt to upload

I recently struggled with the same problem on my Fedora 10 system. In my case the culprit was some odd redirection that I was doing in Apache. Specifically, I use a content management system (Drupal, to be exact) that within it's .htaccess includes the following redirection logic to redirect missing files to a PHP script:

# Rewrite URLs of the form 'x' to the form 'index.php?q=x'.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]

It makes sense that the above only affects the PUT method since in that case REQUEST_FILENAME does not exist.

Not having the WebDAV area inside of the Drupal area, which seems like a reasonable constraint, fixes the problem.

Also, I think it is likely that SELinux would result in a different error, but it's not mentioned in the discussion above. Did you try disabling SELinux?

Ssl – Django running on Apache+WSGI and apache SSL proxying

My solution thanks to Graham:



<Location /dirname>
    SSLVerifyClient      none
    SSLOptions           +FakeBasicAuth
    SSLRequireSSL
    AuthName             "name Authentication"
    AuthType             Basic
    AuthUserFile         /etc/httpd/stuff.passwd
    require              valid-user

    RequestHeader set X-Url-Scheme https


</Location>

ProxyPass /dirname http://django.test/dirname
ProxyPassReverse /dirname http://django.test/dirname

On django.test I added this :

 SetEnvIf X-Url-Scheme https HTTPS=1

after

  WSGIScriptAlias /dirname /path_to_wsgi_script/django.wsgi

Best Answer

Related Solutions

Centos – WebDAV on CentOS – getting 403 error when attempt to upload

Ssl – Django running on Apache+WSGI and apache SSL proxying

Related Topic