I have read some posts regarding how to redirect to SSL, several regarding how to make certain a website is applying the www subdomain / canonical title, plus some regarding how to setup Fundamental Auth. Here's what I've during my .htaccess file at this time:


RewriteEngine On

RewriteCond % !=on

RewriteRule ^ https://%% [L,R=301]

RewriteEngine on

RewriteCond % !(^www.site.com*)$

RewriteRule (.*) https://www.site.com$1 [R=301,L]

AuthName "Locked"

AuthUserFile "/home/.htpasswd"

AuthType Fundamental

require valid-user

It really works fairly well, but Let me optimize it. My questions include:

  1. How do you avoid double authentication? After I access the website w.o. SSL I must authenticate, after which I'm rerouted to SSL and also have to authenticate again. Can One you need to be rerouted after which authenticated?
  2. It appears such as the first rule is fairly awesome because I possibly could apply it to any web site without modifying it. Can rule #2 be rewritten to become site-independent? ie: it'll pressure www for use on any web site regardless of what the domain title is (having a better written rule)? answered here
  3. Wouldso would I actually do overturn of # 3 having a rule that will focus on any web site to pressure the website to not use www, ie redirect to site.com from www.site.com? answered here

For #1:

Set the Auth instructions only around the VirtualHost that is listening on *:443. You ought to have 2 Vitrualhoss, on listening on port 80 and something on port 443. Using AuthType Fundamental on non-SSL communication is really a large problem, account information are simply base64 encoded, therefore it is in obvious on every demands (even images or css) which are utilized on your http server!