I'm attempting to safeguard the ~/public_html/dev directory using http auth fundamental, but to create that secure I wish to run it over ssl.

The center portion of the below .htaccess file switches to https when the request URI starts with /dev and works.

The final portion of the file works too but doesn't work correctly using the https redirect.

I essentially wish to have the ability to type http://www.mattpotts.com/dev/some_sub_dir/ and become rerouted to https://www.mattpotts.com/dev/some_sub_dir/ and motivated for that http auth account information.

What presently happens is that if Time passes to http://www.mattpotts.com/dev/some_sub_dir/ I recieve motivated for any account information over port 80, after which immediately get motivated again over port 443. So my qualifications are now being sent two times, once out of the woods, and when encoded. Making the entire https url rewrite just a little pointless.

The reason behind carrying this out is to ensure that I will not have the ability to accidentally submit my user/omit http https will be accustomed to access the /dev directory.

The .htaccess is incorporated in the ~/public_html/dev directory.

# Rewrite Rules for mattpotts.com

RewriteEngine On

RewriteBase /

# pressure /dev over https

RewriteCond % !on

RewriteCond % ^/dev

RewriteRule (.*) https://%%

# do auth

AuthType Fundamental

AuthName "dev"

AuthUserFile /home/matt/public_html/dev/.htpasswd

Require valid-user

Safeguarding quite happy with fundamental authentication won't ever work safely over HTTP.

When the user has joined their account information, it's sent unencrypted for each page view to that particular site - it is not just sent time the consumer will get motivated.

You need to treat demands over HTTP as not-authenticated, and do all drenched in stuff over HTTPS.

Lots of websites used HTTPS for that login - using forms and snacks, instead of fundamental auth - after which visit HTTP later on. Which means that their 'you are drenched in' cookie will get sent unencrypted. Every valuable target continues to be compromised due to this, and gmail has become switching to full HTTPS yet others follows.

You do not have exactly the same scaling problems that others have experienced which has stored them from the computationally more costly HTTPS. In case your home page supports HTTPS access, utilize it throughout.

You have to make certain the authentication does only occur once the request has ended HTTPS. So do this:

SetEnvIf HTTPS on prompt_auth

<IfDefine prompt_auth>
    AuthType Basic
    AuthName "dev"
    AuthUserFile /home/firefli/public_html/dev/.htpasswd
    Require valid-user
</IfDefine>

But I’m less than confident that HTTPS can be obtained.

Do you use it to place your authentication section inside a <Location> or <LocationMatch> tag while using protocol because the term?

I went in to the same issue and lastly found an ugly solution, however it works. Place the rewrite rule inside a Directory directive in httpd.conf or your conf.d files (i.e., within the "Primary" server configuration). Then, place the Auth* and Require lines inside a Directory directive inside the <VirtualHost _default_:443> container in ssl.conf (or wherever your SSL VirtualHost is determined).

For me personally, what this means is developing a file /etc/httpd/conf.d/test.conf with:

<Directory "/var/www/html/test">
        #
        # force HTTPS
        #
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</Directory>

...after which adding the next inside /etc/httpd/conf.d/ssl.conf just over the </VirtualHost> tag:

<Directory "/var/www/html/test">
        #
        # require authentication
        #
        AuthType Basic
        AuthName "Please Log In"
        AuthUserFile /var/www/auth/passwords
        Require valid-user
</Directory>

Carrying this out makes Apache apply the RewriteRule to any or all demands, and also the auth needs simply to demands within the 443 VirtualHost.