forcing https redirect results in forbidden?
 

i'm installing a webmail interface and want it to be hosted securely. i visit the page at http://mydomain.com/webmail and it looks great. i visit securely thru HTTPS://mydomain.com/webmail and it still looks great.

HOWEVER, when I create a .htaccess file with this in it, it's FORBIDDEN in both cases:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

what's the deal? i fail to see how the htaccess file suddenly makes the file forbidden. How can I force visitors to use https only?

Change the rewrite rules to this:

I put your code directly into an .htaccess file in the directory i want to host https and visited the page and got Forbidden - You don't have permission to access /webmail/ on this server.

I remove the htaccess file and can see the page just fine. wtf?

Take a look at apache error_log to see what the problem is.

Most likely are two possible errors:

- The User the server is running with has no rights to read the .htaccess file
- There is a syntax error in your .htaccess file

both would result in the server bailing out an 401 error

The servers error log would give you the answer, if you have no access to it, try uploading an empty .htaccess, if you still get an 401 its almost definitely the access rights

The htaccess file is 644. i even tried adding apache as group:
The problem is not lack of permission to read the file.

As for syntax errors - you see the code right here in this thread. I have tried both verbatim and they don't work.

I checked the error log, i believe this is what is being reported:
What the heck does that mean?

Addin .htaccess to see if it works

And if that does not work, you have to change httpd.conf file. There should be a <Directory "/path/to/your/http_root"> Tag somewhere, and within it an "AllowOverride" rule, which you will need to change from "None" to "All".

But two things to be aware of:

- this will allow the .htaccess files to override any configuration given in the apache conf files regarding the directory they are put in. This should not be a problem if you are the only one with access to the webservers filesystem

- On high load servers using .htaccess files will come with some performance penalties as the server has to check and iterate through every single htaccess file recursively every time a client connects.
(Though you should consider putting the redirect rule directly into the <directory> tag within the servers conf file)

Hope that helped a bit

Most definitely! Thanks!

OK dang I'm having another problem now. I've got one particular folder which must be both HTTPS and also needs password protection (it's *very* sensitive!). The problem I'm having is that the user is prompted for a password from the http version of the page and then PROMPTED AGAIN the user is redirected to the https version of the page.

So the entire folder of mydomain.com/foo must be https! To that end I have created the file /etc/httpd/conf.d/foo.conf which contains the following:
This code works great (thanks for all the help) except that there is a subfolder of foo that is for ADMINS ONLY and is found at mydomain.com/foo/admin . The actual folder containing the admin files has an .htaccess file containing this:
In short, a visit to http://mydomain.com/foo/admin will prompt you for a password. Once you enter a password it redirects to https://mydomain.com/foo/admin where you get prompted for the password again.

Can anyone help me figure *this one* out?

Its no wonder the Webserver asks you twice for the correct login, because here is what happens:
1.) You try a GET via http..
2.) ...which will make your Webserver promt for a username/pwd (because access is restricted)
3.) after correctly authenticating all the GET (which you are now allowed to do) is telling you to go look at https
4.) now your Browser tries a GET at HTTPS but guess what the webserver is telling him?
5.) correct! You need to authenticate before you can do that
6.) and after doing that you finally get the document


So you want you whole site only be able to be visited via https and no http at all, and when someone comes with http he should be directed to the https am I correct? Or does only the foo directory need https?

Either way I would create two http roots, one for http, which only serves the purpose of redirecting the user to the correct https document, and one for https that actually serves the pages (would be much cleaner that way I guess because you wouldn't have to worry about your configuration messing with the redirect rules)

Oh, by the way, which Distro do you happen to use?

i thought it might be fair to assume that there's some order in which statements are evaluated. like maybe the rewrite engine would be evaluated before the server actually bothers to go check the .htaccess file you know what i mean?

sadly, most of the site is just plain old http. there are 3 or 4 admin type interfaces which i need to be hosted https to avoid clear-text transmission of sensitive passwords. in one particular subdirectory, the one i'm working with now (call it http://mydomain.com/foo/admin), the pages need to be password protected but the underlying PHP pages have no means of authenticating themselves so i must rely on apache authentication to protect that folder with a password requirement. i DO NOT want the parent folder (http://mydomain.com/foo) to require any password auth at all.

i'm not really sure what you are suggesting. the need for https is scattered rather arbitrarily throughout my site. There's a shopping cart type thing, a webmail interface, webstats, a phpmyadmin, etc. In some cases I can force https or password auth through php...in this one case I cannot.