Redirect to https before basic Auth


Some directories need to redirect to https before you check auth, otherwise people are typing in their passwords in clear text before they are redirected. Which would SUUUUuuuUUUuck.

So, for Apache > 2.4, use configuration sections, and redirect before authenticating.

# Redirect to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
# Authenticate users only when using HTTPS
<If "%{HTTPS} == 'on'">
    AuthType Basic
    AuthName "Yep, you need to provide a password."
    AuthUserFile /etc/path/to/htpasswd.file
    # this is so the next 'Require' directive doesn't override any merged previously
    AuthMerging And
    Require valid-user


… but yours is the first one which is working, thank you very much.

Very welcome!

... for the first connect. But since i rewrite the http i have to do the authentification again if i go back from a sub-folder to the protected mail-folder. :(

If you are having to reauthenticate, consider how you have set up your .htpasswd files, where and with what realm. I'd argue they are not set up correctly if you have to reauthenticate many times.

Add new comment

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.