global npm configuration settings« an older post
a newer one »One liner for swapping vars in Javascript

Redirect to https before basic Auth

Snippet Written with a loving hand by kitt some time around 23:09 on 22 August 2015

Some directories need to redirect to https before you check auth, otherwise people are typing in their passwords in clear text before they are redirected. Which would SUUUUuuuUUUuck.

So, for Apache > 2.4, use configuration sections, and redirect before authenticating.

# Redirect to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
 
# Authenticate users only when using HTTPS
<If "%{HTTPS} == 'on'">
    AuthType Basic
    AuthName "Yep, you need to provide a password."
    AuthUserFile /etc/path/to/htpasswd.file
    # this is so the next 'Require' directive doesn't override any merged previously
    AuthMerging And
    Require valid-user
</If>
Source: 
Apache .htaccess redirect to HTTPS before asking for user authentication
#apache
#ssl
#https

Comments

Submitted by Marcel (not verified) on Sat, 2016-12-10 13:41

… but yours is the first one which is working, thank you very much.

Submitted by kitt on Sat, 2016-12-10 13:43

Very welcome!

Submitted by Marc (not verified) on Wed, 2017-01-11 10:15

... for the first connect. But since i rewrite the http i have to do the authentification again if i go back from a sub-folder to the protected mail-folder. :(

Submitted by kitt on Wed, 2017-01-11 12:36

If you are having to reauthenticate, consider how you have set up your .htpasswd files, where and with what realm. I'd argue they are not set up correctly if you have to reauthenticate many times.

Add new comment

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.