Redirect to https before basic Auth
Snippet
kitt decided around 23:09 on 22 August 2015 to publish this:
Some directories need to redirect to https before you check auth, otherwise people are typing in their passwords in clear text before they are redirected. Which would SUUUUuuuUUUuck.
So, for Apache > 2.4, use configuration sections, and redirect before authenticating.
# Redirect to HTTPS RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L] # Authenticate users only when using HTTPS <If "%{HTTPS} == 'on'"> AuthType Basic AuthName "Yep, you need to provide a password." AuthUserFile /etc/path/to/htpasswd.file # this is so the next 'Require' directive doesn't override any merged previously AuthMerging And Require valid-user </If>
Comments
tried a lot of different 'solutions' …
… but yours is the first one which is working, thank you very much.
Very welcome!
Very welcome!
works fine...
... for the first connect. But since i rewrite the http i have to do the authentification again if i go back from a sub-folder to the protected mail-folder. :(
The browser should remember your auth
If you are having to reauthenticate, consider how you have set up your .htpasswd files, where and with what realm. I'd argue they are not set up correctly if you have to reauthenticate many times.
Add new comment