hi, i have a situation and i am trying to figure out how to handle it. i have a webserver and domain i use. on said domain i have a webdav server that i use for a lot of stuff. the way i have it set up is i have a https://hostanme.domain.com/dav-site that is the domain to connect to my dav server. that is password protected but when you put in http://hostname.domain.com/dav-site, it is allowing the browser through.

what i am trying to do is stop that so people cannot get to my dav site without a password. what i figured is one of two ways, the first...

and the second is to use mod-rewrite which i have not used that much. i cannot get the above redirect working though and so i am hoping someone can give me a little advice as to the best way to deal with this and how...

thanks

What you mean by that? Isn't the http site redirecting to the https site?

You can also use mod_rewrite if you want:

so, when i go to...

https://www.hostname.domain.com/webdav - it challenges me for the user/p-word like it should.

when i hit...

http://www.hostname.domain.com/webdav - it lets me through to the webdav site without any password challenge.

when i looked at apaches website they said you should not use mod_rewrite for something so trivial but the redirect is not working either.

Hi,

I'm still learning more about this myself so I may be wrong and hopefuly someone else can correct me if so but looking at your permanent redirect in the conf file, your document root is

Your permanent redirect is looking for the sites old location in / so if im correct your re-direct should look something like this maybe?

I hope this helps
Steven

hi stevne, i appreciate the response but document root tells simply where your websites initial page lies. in a redirect statement, it is all but useless if you have the rest of the site coded properly which at this point i am thinking i might not. and document root is defined already somewhere in your httpd.conf file so it would be unnecessary to define it twice.

the redirect statement tells apache from the document root, what website location to redirect and to where. so you combine the document root and the first part of the redirect to tell apache which directories or queries to redirect where...

so in the example i posted, redirect permanent "/" "https://blah", redirects your entire website from insecure http to secure https.

my issue is that i have a website which is fine where it is but i am trying to redirect part or the "backend" of my website, the dav directory, from http to https. when put into the browser https, it asks for the pass... fine however as i just discovered, when i put in http... it does not challenge me with anything. i want to prevent http requests from getting through unchallenged however that is where i am running into issues.

i am not entirely sure how mod_rewrite works but what i read on the apache website is that it is over-kill using that so i should use that route however it is not working and i am trying to figure out why.

Does http -> https work? It should work, so if it doesn't, clear your browser cache, or use another browser to test.
BTW, in your config snippet, you use the "redirect permanent" in the mysite.example.com vhost, but in your requirement you say you want http://hostname.domain.com/dav-site -> https://hostname.domain.com/dav-site. I guess that hostname.domain.com is the same as mysite.example.com, or else it's not going to work.


I agree that mod_rewrite is too much if you want to redirect all of your http site to https

okay, i think i fingered this out now. the issue, *i believe but am not 100 sure* is that i wrote my httpd page and made a few errors in the way it was laid out. first i put the alias statement within the virtual host. i am not sure that is a big deal but.

second for security purposes i wrote inside the virtual host tag, a directory directive and a location directive. from my readings i you were supposed to leave the directory one less strict. then the location one i wrote with the dav stuff. i think the two were conflicting a bit and when i hit http it would allow it through by the directory directive and when i hit https it would force the password prompt.

so i dropped the location directive since i am not 100% sure how it works and i put the dav stuff into the directory directive and put a redirect above it inline and it seems to be working 100%. the http now redirects to the https and prompts for password...awesome!!

thanks for the help...