Apache .htaccess – SSLRequireSSL Produces HTTP 500 Internal Server Error

.htaccessapache-2.4fcgissl

I have an Apache web server hosted on one.com. The OpenSSL module is active and working. I can manipulate .htaccess and I see the reactions. I want to rely on SSL, and redirection by rewriting works fine. Also, I need user authentication. It works fine with AuthType Basic. There is just one downside: When a user requests http://sub.example.com/non-existent-file (without SSL, of course with my real domain name), they will see a log-in prompt without SSL. Of course, I want to prohibit sending passwords unencrypted. I read, the simplest solution would be to use the SSLRequireSSL directive, but my Apache doesn’t seem to like it. Let me break down the example to reproduce the error. A completely black .htaccess file lets the server provide content on both http and https. If I add only SSLRequireSSL and nothing else into .htaccess, I get an HTTP 500 internal server error.

.htaccess

SSLRequireSSL

→ 500 internal server error

Why is that and how should I use SSLRequireSSL instead?

My complete .htaccess file without SSLRequireSSL:

<IfModule mod_rewrite.c>

    RewriteEngine on
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=307]
    Redirect 307 /index.php /pages/welcome.php

</IfModule>

<IfModule mod_authn_file.c>

    AuthName "Get username and password from admin."
    AuthType Basic
    <if "%{REMOTE_ADDR} -ipmatch '192.168.0.0/24'">
        AuthUserFile /home/user/www/sub.example.com/html/.htpasswd
    </if>
    <else>
        AuthUserFile /customers/1/a/0/example.com/httpd.www/sub/.htpasswd
    </else>
    Require valid-user
    Order deny,allow
    Deny from all
    Allow from 192.168.0.0/24 w3.org googlebot.com
    Satisfy Any

</IfModule>

I could not determine my Apache version. The PHP function apache_get_version() does not exist. php_sapi_name() returns cgi-fcgi. I can access an SSH terminal. There is no command starting with apache… or Apache…. But I suppose Apache is running, because in phpinfo() it tells about a constant $_SERVER['SERVER_SOFTWARE'] set to Apache and $_ENV['SERVER_SOFTWARE'] also set to Apache.

Best Answer

This is how I managed it using .htaccess:

RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

<If "%{HTTPS} == 'on'">
    AuthType Basic
    AuthName "Restricted Files"
    AuthBasicProvider file
    AuthUserFile "/var/www/html/secrets/.passwd"
    Require valid-user
</If>
Related Topic