mod_rewrite to force https

sneakyimp · 01-03-2010, 04:59 PM

I have a folder that is password protected. I want to be certain that passwords, when entered, are encrypted. I have therefore set up a mod_rewrite rule to check for https and, if not found, then redirect. The problem is that I'm being prompted twice for the password and the first time it's over plain http. Here's the .htaccess file in the directory named 'folder':

Code:

# force HTTPS for bookstore folder - this doesn't work
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}/folder [R=301,L]

AuthType Basic
AuthName "secret place"
AuthUserFile "/home/mydomain/passwd"
require valid-user

I was under the impression that the mod_rewrite code, because it appears first in the .htaccess file. Any tips here?

bathory · 01-03-2010, 06:03 PM

Hi,

You have to add:

Code:

SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "www.domain.com"
ErrorDocument 403 https://www.domain.com

inside the <Directory /path/to/apache/ssl/folder> definition for the ssl host (assuming that the above is the path you want to redirect your users).
Take a look here for a more detailed explanation.

Regards

sneakyimp · 01-03-2010, 06:59 PM

THANKS. I believe this is doing what I want. Let me see if I understand this.

q1: These directives are only allowed when you have mod_ssl installed, correct?

q2: These directives are all permissible in an .htaccess file context (which is where I've added them) ?

Code:

SSLOptions +StrictRequire

I don't fully understand the text describing this directive, but think I understand that it forbids access if the SSLRequire or SSLRequireSSL directives' conditions are not met.

Code:

SSLRequireSSL

This directive requires SSL to be in effect for ALL requests in the current directory and its subdirectories.

Code:

SSLRequire %{HTTP_HOST} eq "www.domain.com"

This directive requires that the HTTP_HOST value *must be* www.domain.com and nothing else. Is it case sensitive?

Code:

ErrorDocument 403 https://www.domain.com

I don't really know what this is doing. Is it somehow connected to the other 3 statements?

bathory · 01-04-2010, 12:37 AM

Quote:

q1: These directives are only allowed when you have mod_ssl installed, correct?

I don't understand what you mean. If you want to use SSL, then you need mod_ssl.

Quote:

q2: These directives are all permissible in an .htaccess file context (which is where I've added them) ?

Yes, they can be used in .htaccess

SSLOptions is like the Options in plain apache, so what "SSLOptions +StrictRequire" does, is to enable StrictRequire. On the other hand StrictRequire means that access is forbidden if the following 2 "require" directives are not satisfied. I think that the domain name should be case insensitive.

Quote:

ErrorDocument 403 https://www.domain.com

I guess this is used, so if you get a 403 error (Forbidden) from the above 2 "require" directives, you still stay in https.