: Properly force SSL with .htaccess, no double authentication I'm trying to force SSL with .htaccess on a shared host. This means there I only have access to .htaccess and not the vhosts config.
I'm trying to force SSL with .htaccess on a shared host. This means there I only have access to .htaccess and not the vhosts config. I know you can put a rule in the VirtualHost config file to force SSL which will be picked up there (and acted upon first), preventing double authentication, but I can't get to that. Here's the progress I've made:
Config 1
This works pretty well but it does force double authentication if you visit site.com - once for http and then once for https. Once you are logged in, it automatically redirects site.com/page1.html to the https coutnerpart just fine:
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ %{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteEngine on
RewriteCond %{HTTP_HOST} !(^www.site.com*)$
RewriteRule (.*) www.site.com [R=301,L]
AuthName "Locked"
AuthUserFile "/home/.htpasswd"
AuthType Basic
require valid-user
Config 2
If I add this to the top of the file, it works a lot better in that it will switch to SSL before prompting for the password:
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "site.com"
ErrorDocument 403 site.com
It's clever how it will use the SSLRequireSSL option and the ErrorDocument403 to redirect to the secure version of the site. My only complaint is that if you try and access site.com/page1.html it will redirect to site.com/
So it is forcing SSL without a double-login, but it is not properly forwarding non-SSL resources to their SSL counterparts.
Regarding the first config, Insyte mentioned "using mod_rewrite to perform a simple redirect is a bit of overkill. Use the Redirect directive instead. It's possible this may even fix your problem, as I believe mod_rewrite rules are some of the last directives to be processed, just before the file is actually grabbed from the filesystem"
I have not had no such luck on finding a force-ssl config option with the redirect directive and so have been unable to test this theory.
More posts by @Murphy175
3 Comments
Sorted by latest first Latest Oldest Best
I had the same issue, and I use this now:
AuthType Basic
AuthName "Protected area"
# your auth provider setup here
Require expr "%{ENV:HTTPS} !~ /on/i"
Require valid-user
RewriteEngine On
# Redirect alias to preferred hostname
RewriteCond expr "! %{HTTP_HOST} -strmatch '%{SERVER_NAME}'"
RewriteRule ^ %{SERVER_NAME}%{REQUEST_URI} [L,R=301]
# Redirect to RewriteCond expr "%{ENV:HTTPS} !~ /on/i"
RewriteRule ^ %{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Basically it grants access if is used, but redirects all requests to in this case.
I use "%{ENV:HTTPS} !~ /on/i" because I found some systems (e.g. behind SSL terminating proxies) don't set HTTPS to "off" as apache does with , or set it to "on" instead of "On" with . I also added the redirect to the SERVER_NAME, in case somebody wants it. I don't have a certificate for all my legacy aliases, so it is essential to redirect to the default hostname first in this case.
This works perfect for what I'm trying to do, I have some PHP based admintools in respective directories under /admin/, in /admin/.htaccess I have listed:
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "www.example.com"
ErrorDocument 403 www.example.com/admin/
AuthName "Enter your credentials"
AuthType Basic
AuthUserFile /etc/httpd/passwd/passwordfile
Require user valid-user
when going to non-secure example.com/admin it redirects it to secure example.com/admin, then prompts for authentication.
If you have server-side execution such as php or cgi, then set your ErrorDocument to a file that does not require authentication. This file should redirect the client to the proper location. Apache will set several REDIRECT_ - prefixed environment variables to help you out, and the original environment is preserved -- see httpd.apache.org/docs/trunk/custom-error.html.
In your .htaccess, do as your second example above, but make the ErrorDocument an internal document:
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "site.com"
ErrorDocument 403 /err_redirect.php
AuthName "Locked"
AuthUserFile "/home/.htpasswd"
AuthType Basic
require valid-user
<Files /err_redirect.php>
AuthType none
</Files>
Then, in that error document, send the appropriate HTTP status and Location header. Here's a simple example in php:
<?php
header("Location: . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]);
?>
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.