1

I am attempting, as many people on the internet have done successfully, to force HTTPS on my website, but before the Basic Authentication dialogue window appears. I have attempted the two main ways of doing this, including the "FilesMatch" solution and the "ErrorDocument" solution. The former resulted in a Internal Server Error and the latter caused a redirect loop issue. Here is what I have so far (trying to get the Error Document solution to work):

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

SSLRequireSSL 
ErrorDocument 403 https://website.com/private/https.php

AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /srv/users/serverpilot/apps/intranet/public/.htpasswd
Require valid-user

The https.php file is simply:

<?php
header("LOCATION: /");
exit();

My server is running Apache 2.2 and the redirect works after you've authenticated. What am I doing wrong?

Improve this question

2 Answers 2

Reset to default
3

Your http redirect should be set up on your port 80 virtual host, whilst your authentication configuration should only be added to your port 443 virtual host.

For example:

<VirtualHost *:80>
   ServerName www.server.com
   DocumentRoot /var/www/site

   <Directory /var/www/site>
      RewriteEngine On
      RewriteCond %{HTTPS} !=on
      RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
   </Directory>
</VirtualHost>

<VirtualHost *:443>
   ServerName www.server.com
   DocumentRoot /var/www/site

   <Directory /var/www/site>
      Options FollowSymLinks MultiViews
      AllowOverride none
      Require all granted
   </Directory>

   <Location />
      AuthType Basic
      AuthName "Password Protected Area"
      AuthUserFile /srv/users/serverpilot/apps/intranet/public/.htpasswd
      Require valid-user
   </Location>
</VirtualHost>

Actually, having thought about it, because we know that all port 80 (non-https) accesses are to be redirected, we can simply do that more directly like this:

<VirtualHost *:80>
   ServerName www.server.com
   RedirectPermanent / https://www.server.com
</VirtualHost>

Then just use the port 443 virtual host as above.

To achieve something similar using only .htaccess settings this works:

SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "www.server.com"

AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /var/www/site/.htpasswd
Require valid-user

ErrorDocument 403 https://www.server.com/
ErrorDocument 404 https://www.server.com/

The major downside to this is that you'll always be redirected to the home page (or wherever your ErrorDocument directives point to). The Apache website mentions (see here) that you can use a script as your ErrorDocument and that it is passed the original request URI, although when I tried this on Apache 2.4 it didn't seem to work that way.

Also, any settings in the main VirtualHost configuration might mess with this approach. Unfortunately .htaccess is quite restricted in comparison to the main server configuration.

The only other thing I can suggest is that if you don't need the whole site to be secured, you could set up your authorisation directives in another .htaccess file in a sub-directory.

Check out this site for some really good information on using .htaccess files

Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

Added an example as requested
Thanks for the response, Alan! However, I'd really prefer a solution through htaccess as I'm not sure I even have control over my virtual hosts.... Is there a way to do this through htaccess?
Added more info on a .htaccess solution as requested
Thanks for the htaccess update! I tried adding it, but now I'm getting a redirect loop error again :( Any ideas?
Hmm... that worked for me. Did you just add the .htaccess from my answer or do you still have your rewrite directives in there?
|
0

I do not know if you have since sorted the problem or whether this will help, but the following is what I use on development machine to ensure https is used throughout the site I'm working on.

These two lines are in the .htaccess at root level of the site - the configuration in the main httpd.conf is considerably more complex but just that sets particular options for the ssl within the admin area and doesn't affect non-admin areas so I know this works ( whether it will for you I cannot say )

The admin area currently uses basic authentication after I did away with digest auth ~ though it all worked fine with that also.

I do not use an error document as you do above to redirect as the lines below ensure https - hope it helps!

RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://%{SERVER_NAME}/$1 [R,L]
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.