Some directories need to redirect to https before you check auth, otherwise people are typing in their passwords in clear text before they are redirected. Which would SUUUUuuuUUUuck.
So, for Apache > 2.4, use configuration sections, and redirect before authenticating.