How do I force .htaccess authorization to occur over ssl?
Posted
by
kenja
on Server Fault
See other posts from Server Fault
or by kenja
Published on 2010-03-22T04:57:44Z
Indexed on
2012/10/28
23:06 UTC
Read the original article
Hit count: 367
I'm trying to force a particular directory to require only allowed IPs and a valid username/password through basic authorization. To ensure that the username/password are sent in encrypted form, I want the directory to also force SSL use. Here is what I have in my .htaccess file:
# Force HTTPS-Connection
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://www.mywebsite.com%{REQUEST_URI} [R,L]
## password begin ##
AuthName "Restricted Access"
AuthUserFile /var/www/admin/.htpasswd
AuthType Basic
Require valid-user
Order deny,allow
Deny from all
Allow from 79.1.231.151 62.123.134.83
Satisfy All
Unfortunately, when I access that directory using http protocol, it is asking for the password before it redirects the page to the secure version. This means the password is sent unencrypted. What am I doing wrong? Is there a way to do this?
© Server Fault or respective owner