Require SSL and Apache authentication

I wanted to password protect a website and require SSL for that website.  That all worked perfectly except when users would browse to they would be provided with a 302, error page.  Here were my options set in the <Directory> section for that site.

AuthName “Restricted Access”
AuthType Basic
AuthUserFile “/path/to/htpasswd/file/users”
Require valid-user
RewriteEngine on
RewriteBase /
RewriteCond %{HTTPS} !=on
RewriteRule (.*) https://%{SERVER_NAME}/%{REQUEST_URI} [L]
With the settings above, the SSLRequireSSL option takes precedence over the other option because SSL negotiations are done before Apache negotiations so I was getting an Apache error page 302.
Some users wouldn’t realize from the error page to add https:// to the URI.  So I tried setting up a redirect from to
I commented out the SSLRequireSSL and tried again. Now when I browsed to I would get prompted for username and password but the site still didn’t have so the usernames and passwords were being submitted via clear text.
Wanting the require SSL and have the redirect work before the user enters their credentials I got it to work by adding the following to the <Directory> directive.
SSLOptions +StrictRequire
ErrorDocument 403
This causes the SSLRequireSSL to be processed first and upon the 403 page it would typically server, Apache redirects to the secure site and then prompts for the user credentials.

1 Comment

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s