How do I force .htaccess authorization to occur over ssl?

Posted by kenja on Server Fault See other posts from Server Fault or by kenja
Published on 2010-03-22T04:57:44Z Indexed on 2012/10/28 23:06 UTC
Read the original article Hit count: 370

Filed under:
|

I'm trying to force a particular directory to require only allowed IPs and a valid username/password through basic authorization. To ensure that the username/password are sent in encrypted form, I want the directory to also force SSL use. Here is what I have in my .htaccess file:

# Force HTTPS-Connection
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*)  https://www.mywebsite.com%{REQUEST_URI} [R,L]

## password begin ##
AuthName     "Restricted Access"
AuthUserFile /var/www/admin/.htpasswd
AuthType     Basic
Require valid-user
Order deny,allow
Deny from all
Allow from 79.1.231.151 62.123.134.83
Satisfy All

Unfortunately, when I access that directory using http protocol, it is asking for the password before it redirects the page to the secure version. This means the password is sent unencrypted. What am I doing wrong? Is there a way to do this?

© Server Fault or respective owner

Related posts about apache2

Related posts about .htaccess