Properly force SSL with .htaccess, no double authentication

Posted by cwd on Server Fault See other posts from Server Fault or by cwd
Published on 2011-01-29T05:03:02Z Indexed on 2011/01/29 7:28 UTC
Read the original article Hit count: 610

Filed under:
|
|
|
|

I'm trying to force SSL with .htaccess on a shared host. This means there I only have access to .htaccess and not the vhosts config. I know you can put a rule in the VirtualHost config file to force SSL which will be picked up there (and acted upon first), preventing double authentication, but I can't get to that. Here's the progress I've made:

Config 1

This works pretty well but it does force double authentication if you visit http://site.com - once for http and then once for https. Once you are logged in, it automatically redirects http://site.com/page1.html to the https coutnerpart just fine:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]


RewriteEngine on
RewriteCond %{HTTP_HOST} !(^www\.site\.com*)$
RewriteRule (.*) https://www.site.com$1 [R=301,L]


AuthName "Locked"
AuthUserFile "/home/.htpasswd"
AuthType Basic
require valid-user

Config 2

If I add this to the top of the file, it works a lot better in that it will switch to SSL before prompting for the password:

SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "site.com"
ErrorDocument 403 https://site.com

It's clever how it will use the SSLRequireSSL option and the ErrorDocument403 to redirect to the secure version of the site. My only complaint is that if you try and access http://site.com/page1.html it will redirect to https://site.com/

So it is forcing SSL without a double-login, but it is not properly forwarding non-SSL resources to their SSL counterparts.

Regarding the first config, Insyte mentioned "using mod_rewrite to perform a simple redirect is a bit of overkill. Use the Redirect directive instead. It's possible this may even fix your problem, as I believe mod_rewrite rules are some of the last directives to be processed, just before the file is actually grabbed from the filesystem"

I have not had no such luck on finding a force-ssl config option with the redirect directive and so have been unable to test this theory.

© Server Fault or respective owner

Related posts about apache

Related posts about ssl